tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Bernhard Lenz <>
Subject Re: Should tomcat form login offer redirects to login page besides forward?
Date Thu, 04 Feb 2016 17:58:47 GMT
Are there any Tomcat developers in this forum that would like to pick up
below suggestion? I'm very interesting in hearing your opinion.


On Wed, Jan 27, 2016 at 3:54 PM, Bernhard Lenz <> wrote:

> I'm currently researching an architectural issue which has been pondering
> me for quite some time now.
> Tomcat is probably one of the most widely used web servers out there.
> It has some really nice build in features to implement authentication
> and authorization using
> Form Based Authentication and the SingleSignOn valve. Also the database
> realms with configurable table and column names and hashing of passwords
> are exactly what is needed to develop state of the art web sites.
> In my career I've almost exclusively come across (or worked on) web sites
> which consist of multiple war modules protected by a single site wide login
> page. Examples are myprofile.war for a customer to update his information,
> and admin.war for internal users to administer the site, etc etc. All wars
> are typically protected by a single login page which matches the style of
> the web page.
> However it appears that (based on the Servlet Reference Implementation)
> the login page can only live within each war's servlet context and
> therefore the login page must be copied into each single war. This makes it
> kind of hard to maintain the login page, and in case the page needs to be
> modified it must be changed in multiple places (namely in each war) instead
> of just in one place.
> In order to adapt Tomcat better to today's web development practices I
> would like to suggest an enhancement for Tomcat to provide some kind
> of host level declaration of a login page which overrides the web.xml
> definition or takes affect if the login page is not declared inside the
> web.xmls. For this the FormAuthenticator's forwardToLoginPage method would
> need to be modified to also offer a (conditional) redirect besides just a
> forward. In my simple mind such a change shouldn't be too difficult to
> implement.
> I also looked at glassfish's clone of Tomcat and saw that the glassfish
> team did add a redirect to the forwardToLoginPage method, although it
> appears not exactly for this purpose
> I'm curious to know your thoughts about this enhancement and how to best
> proceed with it?
> Sincerely
> Bernie

  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message