-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Pid,
Pid wrote: > There's a couple of things that may be confusing the config below, which > have some simple corrections. > > I usually place "login.jsp" and "error.jsp" in "WEB-INF/login/", where > they are protected from unwanted attention by default - this avoids the > need to protect them with a security-contstraint. Agreed. I've found that when using Tomcat to serve static content, these things tend to happen. The reason is that Tomcat saves the first unauthorized request and then repeats it after successful authentication. If the last request was for something like a CSS file (say, because the CSS file was protected, but the main page wasn't), then you'll end up being served the CSS file after login. It can be very disorienting. > Tomcat returns the *first* file you requested inside the secured area > after authentication is completed. So for some reason your browser is > requesting a script or CSS file before the JSP page. For some reason, I thought it was the most recent request it saved. First makes more sense; thanks for mentioning it. - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAklvbiIACgkQ9CaO5/Lv0PBdKQCgqKaDVR9sarPRcpT2aPPFzGDB uVUAn0mqIjX9MPIGGMtIFQPQ8grFyA5z =DsGP -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
