Mailing-List: contact tomcat-dev-help@jakarta.apache.org; run by ezmlm
Precedence: bulk
Reply-To: "Tomcat Developers List" <tomcat-dev@jakarta.apache.org>
Message-Id: <sec28568.051@prv-mail20.provo.novell.com>
Date: Wed, 14 May 2003 18:05:17 -0600
From: "Jeff Tulley" <JTULLEY@novell.com>
To: <tomcat-dev@jakarta.apache.org>
Subject: [Patch] Forwards in FormAuthentication
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="=_95CA64D8.2F4E0ED7"

--=_95CA64D8.2F4E0ED7
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

Remy, is the attached patch what you had in mind?

I really like how this works, and it has the plus of preserving your
form parameters into the login page, so that the login form can choose
to use those parameters if it likes.  Still, it would be best to
automatically pick up and use those form parameters (the known ones,
j_username and j_password).  That will be sent as a separate patch.

With regards to this patch and suitability for commit to Tomcat 4
(read: backwards compatibility), I have a question:  Can the user
specify a form-login-page outside of the web application's context?  If
not, then the only potential problem with the patch is if an app
developer was using a static html page for login.  Now Tomcat will be
serving up the static content, instead of the redirect causing the
browser to request another page that might have been served by a web
server.  

Mostly this will work, but there may be slightly different rules for
serving static content between the two.  For instance, does Tomcat work
with internationalized files the same as the Apache web server - IE
looking for login.html.de, or login.html.es, when a request comes in for
login.html?   Certainly such pages can be rewritten to handle i18n
issues, but it is a potential backwards-compatible issue.

How important is this type of issue?

Notice that I left the redirect to the actual URL after proper
authentication intact.  That seems to be the best way to do it.  Only
the error page and login pages do a forward.

Jeff Tulley  (jtulley@novell.com)
(801)861-5322
Novell, Inc., The Leading Provider of Net Business Solutions
http://www.novell.com

>>> remm@apache.org 5/12/03 1:21:14 PM >>>
Jeff Tulley wrote:
> Actually, I forgot to consider the basic authentication case with
that
> patch.  It seems easy enough with the second half of my fix, I just
send
> the same old error message if there is no error page defined.  That
> seems to work.  But, my code:
> 
> Session session = getSession(hrequest);
> session.setPrincipal(null);
> 
> seems to hang the basic authentication process.  Does anybody know of
a
> better way to clear out the user credentials/principal that would
work
> with both types of authentication?  I'll keep researching it and
> hopefully submit a better patch soon.

I was about to post an objection about the difference in behavior with

BASIC.
If it can be made to be consistent between auth methods, I would be ok

to consider making the change to Tomcat 5.

Other improvements could be considered for FORM auth (and make it
behave 
exactly like BASIC from the user perspective, which is the goal, using

forwards instead of redirects).

Remy


---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org 
For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org 


--=_95CA64D8.2F4E0ED7
Content-Type: text/plain; name="FormAuthenticator.txt"
Content-Transfer-Encoding: 8bit
Content-Disposition: attachment; filename="FormAuthenticator.txt"

Index: FormAuthenticator.java
===================================================================
RCS file: /home/cvspublic/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/authenticator/FormAuthenticator.java,v
retrieving revision 1.20
diff -u -r1.20 FormAuthenticator.java
--- FormAuthenticator.java	14 Mar 2002 20:58:24 -0000	1.20
+++ FormAuthenticator.java	14 May 2003 23:48:13 -0000
@@ -71,6 +71,9 @@
 import java.util.Iterator;
 import java.util.Locale;
 import java.util.Map;
+
+import javax.servlet.RequestDispatcher;
+import javax.servlet.ServletException;
 import javax.servlet.http.Cookie;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
@@ -248,8 +251,17 @@
                 log("Save request in session '" + session.getId() + "'");
             saveRequest(request, session);
             if (debug >= 1)
-                log("Redirect to login page '" + loginURI + "'");
-            hres.sendRedirect(hres.encodeRedirectURL(loginURI));
+                log("Forward to login page '" + loginURI + "'");
+
+            RequestDispatcher disp =
+            context.getServletContext().getRequestDispatcher(config.getLoginPage());
+            try
+            {
+               disp.forward(hreq, hres);
+            } catch (ServletException e)
+            {
+               hres.sendRedirect(hres.encodeRedirectURL(loginURI));
+            }            
             return (false);
         }
 
@@ -263,8 +275,16 @@
         principal = realm.authenticate(username, password);
         if (principal == null) {
             if (debug >= 1)
-                log("Redirect to error page '" + errorURI + "'");
-            hres.sendRedirect(hres.encodeRedirectURL(errorURI));
+                log("Forward to error page '" + errorURI + "'");
+            RequestDispatcher disp =
+            context.getServletContext().getRequestDispatcher(config.getErrorPage());
+            try
+            {
+               disp.forward(hreq, hres);
+            } catch (ServletException e)
+            {
+               hres.sendRedirect(hres.encodeRedirectURL(errorURI));
+            }            
             return (false);
         }
 

--=_95CA64D8.2F4E0ED7
Content-Type: text/plain; charset=us-ascii

---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org
--=_95CA64D8.2F4E0ED7--