Java Authentication with tomcat relies on realms. If you access a page
protected by that realm you get directed to the login page.
However, it is possible to go directly to the login page ( this can happen
when users bookmark the login page inadvertantly ).
This happens in two scenarios:
1) The user is already logged in.
2) The user is not logged in.
If you authenticate yourself once you have gone directly to the login
page, you get a "invalid direct reference" error. Fair enough, the login
page is trying to redirect to itself. Now, I tried to workaround this by
checking if the session is null, and if it is, redirecting to some
protected page, eg. protected/index.jsp. No luck. It seems that a session
is implicitly created, and a new session id gets created.
So I've tried a cookie strategy:
<%
if ( request.getCookies()==null ) {
response.sendRedirect("/xxxx/jsp/protected/index.jsp");
}
if ( request.getRemoteUser()!=null )
{
response.sendRedirect("/xxxxx/jsp/protected/index.jsp");
}
%>
i.e, we wont have a cookie if we've gone directly to the login page. But
we will have if we've tried to access a protected page and then we've been
forwarded to a login page, tomcat will give us a cookie.
Now if we're already logged in ( which we check with getRemoteUser() ,
then we just forward to user to an index page.
This seems o.k. However my index page actually includes my login page! I'm
planning to get around this with some logic that only includes the login
page excerpt if we are not logged in......
Ben
