Hi, didn't get a response to this question on tomcat-user
so I'll give it a try here.
In the Tomcat 4b2 implementation of form based authentication,
the redirection from a request for a protected resource to the
login page and then from the login page submission back to the
protected resource are done internally in the valve. This makes
the browser think it is receiving a response to a request other
than the one that was actually served, and interferes with the
browser fetching other resources referred to by the served resource,
such as images or stylesheets, that may use relative URLs.
How is one supposed to deal with this issue? It seems like it
might be reasonable to require that one only use absolute URLs
in links from the login page, but not for any arbitrary protected
resource.
Thanks - Mark
