Michael Jennings wrote:
> Hi everyone,
>
> I just wanted to bounce an idea off of everyone. In tomcat, when one
> specifies form-based
> authentication you have to tell tomcat which page is the login page. This is
> done
> via the context's web.xml file by setting the <form-login-page> property
> under the <login-config>
> section. When a user hits a protected URL in a context, if they are not
> already authenticated, the original
> request page is saved in their session, then they are redirected to the
> login page, if the login
> succeeds, they are redirected to their original request page.
> A problem happens however, when a user requests JUST the login page. After
> logging in,
> there is nowhere to redirect the user to since their is no original request
> saved in the session.
>
> What if there was a concept of a "default login target"? so that when a user
> requests just the
> designated login page, if they are already authenticated, they get
> redirected to the "default login target"
> page. Similarly, if a user requests the login page but they are not
> authenticated, upon logging in they
> would get redirected to the "default login target".
>
> I realize that this is probably not in the JSP spec, but something like this
> seems to be necessary.
> The alternative is to look for the presence of a session variable called
> "tomcat.auth.originalLocation"
> and set up a default from within the login page if that session variable
> isn't there.
>
> Any thoughts?
Why not supply the default in a hidden field on the login page?
--
Andy Armstrong, Tagish
