tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Bernhard Lenz <Bernh...@Lenz.name>
Subject Re: Should tomcat form login offer redirects to login page besides forward?
Date Thu, 04 Feb 2016 17:58:47 GMT
Are there any Tomcat developers in this forum that would like to pick up
below suggestion? I'm very interesting in hearing your opinion.

Sincerely
Bernie

On Wed, Jan 27, 2016 at 3:54 PM, Bernhard Lenz <Bernhard@lenz.name> wrote:

> I'm currently researching an architectural issue which has been pondering
> me for quite some time now.
>
> Tomcat is probably one of the most widely used web servers out there.
> It has some really nice build in features to implement authentication
> and authorization using
> Form Based Authentication and the SingleSignOn valve. Also the database
> realms with configurable table and column names and hashing of passwords
> are exactly what is needed to develop state of the art web sites.
>
> In my career I've almost exclusively come across (or worked on) web sites
> which consist of multiple war modules protected by a single site wide login
> page. Examples are myprofile.war for a customer to update his information,
> and admin.war for internal users to administer the site, etc etc. All wars
> are typically protected by a single login page which matches the style of
> the web page.
>
> However it appears that (based on the Servlet Reference Implementation)
> the login page can only live within each war's servlet context and
> therefore the login page must be copied into each single war. This makes it
> kind of hard to maintain the login page, and in case the page needs to be
> modified it must be changed in multiple places (namely in each war) instead
> of just in one place.
>
> In order to adapt Tomcat better to today's web development practices I
> would like to suggest an enhancement for Tomcat to provide some kind
> of host level declaration of a login page which overrides the web.xml
> definition or takes affect if the login page is not declared inside the
> web.xmls. For this the FormAuthenticator's forwardToLoginPage method would
> need to be modified to also offer a (conditional) redirect besides just a
> forward. In my simple mind such a change shouldn't be too difficult to
> implement.
>
> I also looked at glassfish's clone of Tomcat and saw that the glassfish
> team did add a redirect to the forwardToLoginPage method, although it
> appears not exactly for this purpose
>
> I'm curious to know your thoughts about this enhancement and how to best
> proceed with it?
>
> Sincerely
> Bernie
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message