RE: Orion FORM based authentication Configuraton problem
If I'm reading the steps correctly, this behavior is actually fully spec-compliant. This is the reason I don't use FORM-based login. j_security_check is only required to be valid immediately after an attempt to visit a secured page. There is no provision to be able to re-enter credentials from the failure page, and the Orion implementation doesn't allow it. The user must hit the back button :-( Also, Orion performs a forward() rather than a redirect() when a successful login does occur. Thus the ugly url in the user's browser. I logged bug #126 against this issue but it was denied :-) Jeff -Original Message- From: gnoht orion [mailto:[EMAIL PROTECTED]] Sent: Monday, February 26, 2001 3:41 AM To: Orion-Interest Subject: Re: Orion FORM based authentication Configuraton problem ran into same problem, i think it's a bug in orion. just remove the j_security_check from your action field and login will still work, but correct url will show up. can't really understand why it works this way, hope it helps. -t --- cybermaster [EMAIL PROTECTED] wrote: When I use % authentication (1.4.5, W2K Server, jdk1.3), I've got a couple of problems: (1) Basic setup is: /Home.jsp, link to /secure/loginDummy.jsp (2) User tries to get to /secure/loginDummy.jsp - Orion redirects to /login.jsp (3) login correct works fine with /login.jsp - (browser shows /secure/dummyLogin as URL) (4a) browser displays /secure/loginDummy.jsp - OK, but: - (browser shows /secure/j_security_check as URL) BUT (4b) if first login incorrect, Orion redirects to /loginError.jsp - (browser shows /secure/j_security_check as URL) (5a) error again, page stays at /loginError.jsp jsp - (browser shows /secure/j_security_check as URL) (5b) user enteres correct passwd - "ERROR 404 Not Found - Resource /formAuth/secure/j_security_check not found on this server" somehow Orion forgets the correct URL (it shouldn't show j_security_check in the first place, I guess). The user is actually logged in, and can go to the /secure/* pages at this time. Peter Saurugger Everest eCommerce [EMAIL PROTECTED] __ Do You Yahoo!? Get email at your own domain with Yahoo! Mail. http://personal.mail.yahoo.com/
RE: Orion FORM based authentication Configuraton problem
I agree with Jeff the Servlet 2.2 Spec only specifies that an error page is returned - so Orion's behaviour is up to spec. To allow continuation of the login process from loginError page would be an add-on ... cerrtainly a useful one, because it's more user friendly. But of course, it is Orion's developers who call the shots. --peter -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Jeff Schnitzer Sent: Monday, February 26, 2001 8:06 AM To: Orion-Interest Subject: RE: Orion FORM based authentication Configuraton problem If I'm reading the steps correctly, this behavior is actually fully spec-compliant. This is the reason I don't use FORM-based login. j_security_check is only required to be valid immediately after an attempt to visit a secured page. There is no provision to be able to re-enter credentials from the failure page, and the Orion implementation doesn't allow it. The user must hit the back button :-( Also, Orion performs a forward() rather than a redirect() when a successful login does occur. Thus the ugly url in the user's browser. I logged bug #126 against this issue but it was denied :-) Jeff winmail.dat
RE: Orion FORM based authentication Configuraton problem
I suppose that you could use the SAME page for login and error. You could tell which context it's being called in by playing with a session variable, I think. That should give you the flexibility you want, and all within spec. Nick Newman At 11:31 AM 2/26/01 -0700, you wrote: I agree with Jeff the Servlet 2.2 Spec only specifies that an error page is returned - so Orion's behaviour is up to spec. To allow continuation of the login process from loginError page would be an add-on ... cerrtainly a useful one, because it's more user friendly. But of course, it is Orion's developers who call the shots. --peter -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Jeff Schnitzer Sent: Monday, February 26, 2001 8:06 AM To: Orion-Interest Subject: RE: Orion FORM based authentication Configuraton problem If I'm reading the steps correctly, this behavior is actually fully spec-compliant. This is the reason I don't use FORM-based login. j_security_check is only required to be valid immediately after an attempt to visit a secured page. There is no provision to be able to re-enter credentials from the failure page, and the Orion implementation doesn't allow it. The user must hit the back button :-( Also, Orion performs a forward() rather than a redirect() when a successful login does occur. Thus the ugly url in the user's browser. I logged bug #126 against this issue but it was denied :-) Jeff
RE: Orion FORM based authentication Configuraton problem
But then I also want to be able to enter login credentials on the default page, so now that page must be login-required error the homepage... While I have no doubt that it could be made to work, this is not an elegant or appropriate solution to the problem. Sun needs to fix the spec. Jeff -Original Message- From: Nick Newman [mailto:[EMAIL PROTECTED]] Sent: Monday, February 26, 2001 12:26 PM To: Orion-Interest Subject: RE: Orion FORM based authentication Configuraton problem I suppose that you could use the SAME page for login and error. You could tell which context it's being called in by playing with a session variable, I think. That should give you the flexibility you want, and all within spec. Nick Newman At 11:31 AM 2/26/01 -0700, you wrote: I agree with Jeff the Servlet 2.2 Spec only specifies that an error page is returned - so Orion's behaviour is up to spec. To allow continuation of the login process from loginError page would be an add-on ... cerrtainly a useful one, because it's more user friendly. But of course, it is Orion's developers who call the shots. --peter -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Jeff Schnitzer Sent: Monday, February 26, 2001 8:06 AM To: Orion-Interest Subject: RE: Orion FORM based authentication Configuraton problem If I'm reading the steps correctly, this behavior is actually fully spec-compliant. This is the reason I don't use FORM-based login. j_security_check is only required to be valid immediately after an attempt to visit a secured page. There is no provision to be able to re-enter credentials from the failure page, and the Orion implementation doesn't allow it. The user must hit the back button :-( Also, Orion performs a forward() rather than a redirect() when a successful login does occur. Thus the ugly url in the user's browser. I logged bug #126 against this issue but it was denied :-) Jeff