But then I also want to be able to enter login credentials on the
default page, so now that page must be login-required & error & the
homepage...
While I have no doubt that it could be made to work, this is not an
elegant or appropriate solution to the problem. Sun needs to fix the
spec.
Jeff
>-----Original Message-----
>From: Nick Newman [mailto:[EMAIL PROTECTED]]
>Sent: Monday, February 26, 2001 12:26 PM
>To: Orion-Interest
>Subject: RE: Orion FORM based authentication Configuraton problem
>
>
>I suppose that you could use the SAME page for login and
>error. You could
>tell which context it's being called in by playing with a
>session variable,
>I think. That should give you the flexibility you want, and
>all within spec.
>
>Nick Newman
>
>At 11:31 AM 2/26/01 -0700, you wrote:
>>I agree with Jeff the Servlet 2.2 Spec only specifies that an
>error page is
>>returned - so Orion's behaviour is up to spec. To allow
>continuation of the
>>login process from loginError page would be an add-on ... cerrtainly a
>>useful one, because it's more user friendly. But of course,
>it is Orion's
>>developers who call the shots.
>>
>>--peter
>>
>>-----Original Message-----
>>From: [EMAIL PROTECTED]
>>[mailto:[EMAIL PROTECTED]]On Behalf Of
>Jeff Schnitzer
>>Sent: Monday, February 26, 2001 8:06 AM
>>To: Orion-Interest
>>Subject: RE: Orion FORM based authentication Configuraton problem
>>
>>If I'm reading the steps correctly, this behavior is actually fully
>>spec-compliant. This is the reason I don't use FORM-based login.
>>
>>j_security_check is only required to be valid immediately after an
>>attempt to visit a secured page. There is no provision to be able to
>>re-enter credentials from the failure page, and the Orion
>implementation
>>doesn't allow it. The user must hit the back button :-(
>>
>>Also, Orion performs a forward() rather than a redirect() when a
>>successful login does occur. Thus the ugly url in the user's browser.
>>I logged bug #126 against this issue but it was denied :-)
>>
>>Jeff
>>
>
>
>