Hi,
lately I was complaining about formbased login not working without using
cookies.
Craigs solution was right (response.encodeURL ("j_security_check")). Now all
is
working so far - except that all the images and other resources (stylsheets
etc) are not
loaded (and the site does look real weird now :-)
This is because the pattern matching (<url-pattern>) does not allow things
like
'/admin/*.jsp' but only '/admin/*'. Using the first pattern would result in
protecting nothing. The second one is protected EVERYTHING (even images,
stylesheets etc.)
I read the Servlet-Specifications (section 11.2.1) and found that
path-*AND*-extension pattern matching is
neither required nor allowed. After that I looked into the source and found
that it has been
implemented like that (SecurityConstraint.matchPattern).
What could be done now? Encoding all image-resources would be a strange
solution and other matching is
not allowed. So I think form based login is only a "play around"
authentification method, because it does not
work in the real world even if there were more matching-capabilities,
because then there would be less
security (if matching for /admin/*.jsp was allowed all images would be
unprotected...).
Now I switched to BASIC-authentification, because it's only the admin-stuff
I want to protect. But if I had to
protect end-user-sites I never would use BASIC, because it is a strange
thing for the most inet-newbies... (and
website-designers would never agree with that :-)
Did I get the point, or is there something I did not see? Still I would like
to use form based for the next projects...
pero
