> -Original Message-
> From: Michael Jennings [mailto:[EMAIL PROTECTED]]
> Sent: Thursday, June 21, 2001 11:55 AM
> To: [EMAIL PROTECTED]
> Subject: Re: FORM-based authentication idea
>
>
> > The best way to think about form-based login is like this:
>
ne 21, 2001 4:48 PM
Subject: Re: FORM-based authentication idea
> On Thu, 21 Jun 2001, Craig R. McClanahan wrote:
>
> > > If the login page would be displayed all the or in
the
> > > login page will be treated by the browser as relative to
> > > /mywebapp/private, w
On Thu, 21 Jun 2001, Craig R. McClanahan wrote:
> > If the login page would be displayed all the or in the
> > login page will be treated by the browser as relative to
> > /mywebapp/private, while the login page can be somewhere else.
> >
>
> The form login page should use server-relative URL
On Thu, 21 Jun 2001 [EMAIL PROTECTED] wrote:
> On Thu, 21 Jun 2001, Michael Jennings wrote:
>
> > Okay,
> >
> > I was being stupid. I understand now, with form-based authentication when
> > you
> > request /mywebapp/private/somefile.jsp what you get back should just be
> > generated from the
On Thu, 21 Jun 2001, Michael Jennings wrote:
> Okay,
>
> I was being stupid. I understand now, with form-based authentication when
> you
> request /mywebapp/private/somefile.jsp what you get back should just be
> generated from the login page, then when you submit your credentials,
> it returns
So the redirection thing is just how it is implemented right now.
Stupid me.
-Mike
- Original Message -
From: "Michael Jennings" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Thursday, June 21, 2001 2:21 PM
Subject: Re: FORM-based authentication idea
> >
> It's kinda hard for them to bookmark the login page when they don't know
> the URL.
>
> Keep in mind that, as far as the browser is concerned, the URL in the
> location is still the page that was originally requested. Therefore, a
> bookmark for the login form will actually be to the real page
> On Thu, 21 Jun 2001, Michael Jennings wrote:
>
> > That's true. The point I was trying to make is that there is nothing to
> > stop an end-user from bookmarking a login page or typing it in
> > directly, even if you have no linkages to the login page in your
> > user interface.
> >
>
> It's
On Thu, 21 Jun 2001, Michael Jennings wrote:
> > Why is the button there at all? There should be zero linkages to the
> > login page from *anywhere* in your user interface.
>
> That's true. The point I was trying to make is that there is nothing to
> stop an end-user from bookmarking a login
> Why is the button there at all? There should be zero linkages to the
> login page from *anywhere* in your user interface.
That's true. The point I was trying to make is that there is nothing to
stop an end-user from bookmarking a login page or typing it in
directly, even if you have no linkag
On Thu, 21 Jun 2001, Michael Jennings wrote:
> > The best way to think about form-based login is like this:
> >
> > * The login page is (in essence) part of the container,
> > not the application. Therefore, ...
> >
> > * The login page should *never* be referenced directly by any
> > othe
> The best way to think about form-based login is like this:
>
> * The login page is (in essence) part of the container,
> not the application. Therefore, ...
>
> * The login page should *never* be referenced directly by any
> other application page, and ...
>
> * The login page should *never
Michael Jennings wrote:
>>>The alternative is to look for the presence of a session variable called
>>>"tomcat.auth.originalLocation"
>>>and set up a default from within the login page if that session variable
>>>isn't there.
>>>
>>>Any thoughts?
>>>
>>
>>Why not supply the default in a hidden fi
On Wed, 20 Jun 2001, Michael Jennings wrote:
> Hi everyone,
>
> I just wanted to bounce an idea off of everyone. In tomcat, when one
> specifies form-based
> authentication you have to tell tomcat which page is the login page. This is
> done
> via the context's web.xml file by setting the pro
> I would simply be a little bit leary of extending the web.xml file
> format beyond what the spec states, given that Tomcat is the official
> reference implementation. My feeling would be to change the internal
> behavior of the problem you point out to be handled a bit more
> elegantly, rather t
Michael Jennings wrote:
>
> If this proposed feature (default login target) was added to tomcat, then
> any JSP pages
> developed would just behave a bit nicer in this special case, they would
> still continue
> to work correctly in any spec-compliant jsp container.
I would simply be a little b
> FWIW, I guess I could see some small convenience in a target-fail and
> target-succeed context parameter. I guess I if I had multiple entry
> points into my application, such as a more complex manual authentication
> routine within a different application or something, I could also grab
> these
Christopher Cain wrote:
>
> My main objection would be that it is adding
> non-spec features, which means that any apps
> written under Tomcat would not cleanly port
> to other spec-compliant servlet containers.
This, of course, should read: Any apps written under Tomcat "to levarage
this featu
Andy Armstrong wrote:
>
> Michael Jennings wrote:
>
> > Hi everyone,
> >
> > I just wanted to bounce an idea off of everyone. In tomcat, when one
> > specifies form-based
> > authentication you have to tell tomcat which page is the login page. This is
> > done
> > via the context's web.xml file
> > The alternative is to look for the presence of a session variable called
> > "tomcat.auth.originalLocation"
> > and set up a default from within the login page if that session variable
> > isn't there.
> >
> > Any thoughts?
>
>
> Why not supply the default in a hidden field on the login page?
Michael Jennings wrote:
> Hi everyone,
>
> I just wanted to bounce an idea off of everyone. In tomcat, when one
> specifies form-based
> authentication you have to tell tomcat which page is the login page. This is
> done
> via the context's web.xml file by setting the property
> under the
> se
Hi everyone,
I just wanted to bounce an idea off of everyone. In tomcat, when one
specifies form-based
authentication you have to tell tomcat which page is the login page. This is
done
via the context's web.xml file by setting the property
under the
section. When a user hits a protected URL in
22 matches
Mail list logo
