On Fri, 11 May 2001, JULIEN,TIMOTHY (HP-NewJersey,ex2) wrote:
> After a successful FORM login, how does Tomcat restore the original request?
> If it uses the forward mechanism, how does it force the browser to use the
> URL of the original request, and not */j_security_check?
>
> Tim Julien
> HP Middleware
>
Details depend on the Tomcat version. For 4.0, the original request is
saved (inside the session) and, after authentication is completed, an
effective "forward" is done to the page that was originally requested.
You are correct that this can confuse the browser's resolution of relative
paths. However, I don't know how else you can implement the semantics
required by the spec -- in particular, if the request that triggered
authentication was a POST, the post data will be lost if you do a
redirect. I'm open to suggestions on implementation approaches.
Craig
