All I can guess is that your /Login.jsp contains a redirect to "/", which
will then show your welcome file, if you have one declared.
What happens if you remove the security constraint and THEN request
/Login.jsp? If you STILL get the welcome page, then security clearly isn't
the problem.
Nick
At 01:34 PM 2/1/01 -0800, you wrote:
>I agree that is the correct sequence, but that is not what I get. Assume I
>have a welcome file defined called welcome.jsp.
>
>The sequence of events is:
>
>- User requests secured page /Login.jsp
>- User is redirected to LoginForm.jsp
>- User enters correct credentials
>- User is logged in
>- User is displayed the contents of welcome.jsp.
>
>OR:
>
>- User requests secured page /Login.jsp
>- User is redirected to LoginForm.jsp
>- User enters INCORRECT credentials
>- User is NOT logged in
>- User is STILL displayed the contents of welcome.jsp.
>
>I also had the case where I didn't have a welcome file defined, but had
>directory browsing enabled, and I get the directory contents after doing
>the above sequences. This doesn't seem right to me, but I can't figure out
>what is wrong.
>
>What can cause this?
>
>Gerald.
>
>
>At 09:30 AM 2/1/2001 -0700, you wrote:
>>The sequence of events is:
>> - The user requests a secured page (/Login.jsp, in your case).
>> - The server intercepts the request and redirects to the form-based
>> login page (LoginForm.jsp)
>> - If the user logs in successfully, the server allows the original
>> request to proceed (ie. Login.jsp is displayed).
>>
>>So if by "the welcome page" you mean the Login.jsp page, then that is as
>>expected. If you see something else, then this could possibly be the
>>result of something you do on that page (such as redirection).
>>
>>Nick
>>
>>At 10:19 PM 1/31/01 -0800, you wrote:
>>
>>>I've searched the mailing list, but there doesn't seem to be information
>>>on this. I'm a little desparate now.
>>>
>>>I'm using a form-based login for my web application. When a user hits
>>>Login.jsp, s/he must log in. I have the LoginForm.jsp and LoginError.jsp
>>>files in / of my context root. This redirection to the LoginForm.jsp
>>>does occur, but regardless of whether the user logged in successfully or
>>>not, he is dumped back to the welcome page. The actual logging in is
>>>successful, i.e. if he provided the correct credentials, he's logged in,
>>>but still dumped back to the welcome page.
>>>
>>>Here is the relevant portion of my web.xml:
>>>
>>> <security-constraint>
>>> <web-resource-collection>
>>> <web-resource-name>LoginTrigger</web-resource-name>
>>> <description>LoginTrigger</description>
>>> <url-pattern>/Login.jsp</url-pattern>
>>> <http-method>GET</http-method>
>>> <http-method>POST</http-method>
>>> </web-resource-collection>
>>> <auth-constraint>
>>> <role-name>portal_gamer</role-name>
>>> </auth-constraint>
>>> </security-constraint>
>>>
>>> <login-config>
>>> <auth-method>FORM</auth-method>
>>> <realm-name>default</realm-name>
>>> <form-login-config>
>>> <form-login-page>LoginForm.jsp</form-login-page>
>>> <form-error-page>LoginError.jsp</form-error-page>
>>> </form-login-config>
>>> </login-config>
>>>
>>> <security-role>
>>> <role-name>portal_gamer</role-name>
>>> </security-role>
>>>
>>>Which part of the magic am I missing?
>
>
