On Wed, 20 Jun 2001, Michael Jennings wrote:
> Hi everyone,
>
> I just wanted to bounce an idea off of everyone. In tomcat, when one
> specifies form-based
> authentication you have to tell tomcat which page is the login page. This is
> done
> via the context's web.xml file by setting the <form-login-page> property
> under the <login-config>
> section. When a user hits a protected URL in a context, if they are not
> already authenticated, the original
> request page is saved in their session, then they are redirected to the
> login page, if the login
> succeeds, they are redirected to their original request page.
> A problem happens however, when a user requests JUST the login page. After
> logging in,
> there is nowhere to redirect the user to since their is no original request
> saved in the session.
>
> What if there was a concept of a "default login target"? so that when a user
> requests just the
> designated login page, if they are already authenticated, they get
> redirected to the "default login target"
> page. Similarly, if a user requests the login page but they are not
> authenticated, upon logging in they
> would get redirected to the "default login target".
>
> I realize that this is probably not in the JSP spec, but something like this
> seems to be necessary.
> The alternative is to look for the presence of a session variable called
> "tomcat.auth.originalLocation"
> and set up a default from within the login page if that session variable
> isn't there.
>
The best way to think about form-based login is like this:
* The login page is (in essence) part of the container,
not the application. Therefore, ...
* The login page should *never* be referenced directly by any
other application page, and ...
* The login page should *never* be requested directly by the
user.
Using form-based login pages in any other manner is just going to cause
you grief, unless and until the servlet spec were changed to mandate a
behavior like what you propose.
NOTE: A primary reason that form-based login was designed the way it is
was to emulate the user experience of how BASIC login works. With BASIC,
you never reference the login page directly, right? It just pops up
whenever you try to access a protected resource for the first time --
then, you are transparently returned to the resource you originally
requested. Using form-based login lets you manage the look-and-feel of
the login page, but it should *not* be part of your application's normal
flow.
> Any thoughts?
>
> -Mike
Craig McClanahan
