I'm currently researching an architectural issue which has been pondering me for quite some time now.
Tomcat is probably one of the most widely used web servers out there. It has some really nice build in features to implement authentication and authorization using Form Based Authentication and the SingleSignOn valve. Also the database realms with configurable table and column names and hashing of passwords are exactly what is needed to develop state of the art web sites. In my career I've almost exclusively come across (or worked on) web sites which consist of multiple war modules protected by a single site wide login page. Examples are myprofile.war for a customer to update his information, and admin.war for internal users to administer the site, etc etc. All wars are typically protected by a single login page which matches the style of the web page. However it appears that (based on the Servlet Reference Implementation) the login page can only live within each war's servlet context and therefore the login page must be copied into each single war. This makes it kind of hard to maintain the login page, and in case the page needs to be modified it must be changed in multiple places (namely in each war) instead of just in one place. In order to adapt Tomcat better to today's web development practices I would like to suggest an enhancement for Tomcat to provide some kind of host level declaration of a login page which overrides the web.xml definition or takes affect if the login page is not declared inside the web.xmls. For this the FormAuthenticator's forwardToLoginPage method would need to be modified to also offer a (conditional) redirect besides just a forward. In my simple mind such a change shouldn't be too difficult to implement. I also looked at glassfish's clone of Tomcat and saw that the glassfish team did add a redirect to the forwardToLoginPage method, although it appears not exactly for this purpose I'm curious to know your thoughts about this enhancement and how to best proceed with it? Sincerely Bernie
