Christopher Schultz wrote:
Mark,
Mark Thomas wrote:
| If you go directly to the login page Tomcat can't tell the difference
| between that situation and when you go to a protected page, are
| redirected to the login page and then take so long to log in the session
| times out (the page you need to be sent back to is stored in the
| session). The error message assumes that the session has timed out.
Okay, so the Tomcat response is (expectedly) consistent. Thanks for
stepping-in.
Just out of curiosity, why does Tomcat not support drive-by logins? Is
it merely because the spec leaves the behavior in that case ambiguous
(there's no obvious target page to go to)?
Essentially, yes. Also, there is no spec compliant way to define where to
go if login is successful. If this was added then to be consistent the
default target page would probably need to be defined in the Form Auth
valve in a context.xml.
Many of securityfilter's
users use it merely because it allows drive-by logins. We're happy to
have them (!), but this seems like a reasonable feature to have in the
core of Tomcat.
Given there is a demand for this, adding it as an option to the Form Auth
valve seems reasonable to me. As ever, patches are always welcome on
Bugzilla and this looks like a simple one although care will need to be
taken on the error handling.
Mark
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
