I suppose that you could use the SAME page for login and error. You could
tell which context it's being called in by playing with a session variable,
I think. That should give you the flexibility you want, and all within spec.
Nick Newman
At 11:31 AM 2/26/01 -0700, you wrote:
>I agree with Jeff the Servlet 2.2 Spec only specifies that an error page is
>returned - so Orion's behaviour is up to spec. To allow continuation of the
>login process from loginError page would be an add-on ... cerrtainly a
>useful one, because it's more user friendly. But of course, it is Orion's
>developers who call the shots.
>
>--peter
>
>-----Original Message-----
>From: [EMAIL PROTECTED]
>[mailto:[EMAIL PROTECTED]]On Behalf Of Jeff Schnitzer
>Sent: Monday, February 26, 2001 8:06 AM
>To: Orion-Interest
>Subject: RE: Orion FORM based authentication Configuraton problem
>
>If I'm reading the steps correctly, this behavior is actually fully
>spec-compliant. This is the reason I don't use FORM-based login.
>
>j_security_check is only required to be valid immediately after an
>attempt to visit a secured page. There is no provision to be able to
>re-enter credentials from the failure page, and the Orion implementation
>doesn't allow it. The user must hit the back button :-(
>
>Also, Orion performs a forward() rather than a redirect() when a
>successful login does occur. Thus the ugly url in the user's browser.
>I logged bug #126 against this issue but it was denied :-)
>
>Jeff
>
