"Craig R. McClanahan" wrote:
>
> On Fri, 11 May 2001, JULIEN,TIMOTHY (HP-NewJersey,ex2) wrote:
>
> > After a successful FORM login, how does Tomcat restore the original request?
> > If it uses the forward mechanism, how does it force the browser to use the
> > URL of the original request, and not */j_security_check?
>
> Details depend on the Tomcat version. For 4.0, the original request is
> saved (inside the session) and, after authentication is completed, an
> effective "forward" is done to the page that was originally requested.
>
> You are correct that this can confuse the browser's resolution of relative
> paths. However, I don't know how else you can implement the semantics
> required by the spec -- in particular, if the request that triggered
> authentication was a POST, the post data will be lost if you do a
> redirect. I'm open to suggestions on implementation approaches.
Our content management system (done over a year ago using an early
tomcat version) required a more robust authentication/authorization
system than was then available. We subclassed HTTPServlet, did the
forward from this wrapper when authentication was required, and the form
login was posted back to the originally requested url (where the
authorization info was intercepted by the wrapper). It works pretty
well for us.
Just another implementation possibility.
Paul Anguiano
Seattle Public Schools
