Hi everyone,
I just wanted to bounce an idea off of everyone. In tomcat, when one
specifies form-based
authentication you have to tell tomcat which page is the login page. This is
done
via the context's web.xml file by setting the <form-login-page> property
under the <login-config>
section. When a user hits a protected URL in a context, if they are not
already authenticated, the original
request page is saved in their session, then they are redirected to the
login page, if the login
succeeds, they are redirected to their original request page.
A problem happens however, when a user requests JUST the login page. After
logging in,
there is nowhere to redirect the user to since their is no original request
saved in the session.
What if there was a concept of a "default login target"? so that when a user
requests just the
designated login page, if they are already authenticated, they get
redirected to the "default login target"
page. Similarly, if a user requests the login page but they are not
authenticated, upon logging in they
would get redirected to the "default login target".
I realize that this is probably not in the JSP spec, but something like this
seems to be necessary.
The alternative is to look for the presence of a session variable called
"tomcat.auth.originalLocation"
and set up a default from within the login page if that session variable
isn't there.
Any thoughts?
-Mike
______________________
Mike Jennings
Southgate Software Ltd.
250-382-6851 (ph)
250-382-6800 (fax)
[EMAIL PROTECTED]
