Andy Armstrong wrote:
>
> Michael Jennings wrote:
>
> > Hi everyone,
> >
> > I just wanted to bounce an idea off of everyone. In tomcat, when one
> > specifies form-based
> > authentication you have to tell tomcat which page is the login page. This is
> > done
> > via the context's web.xml file by setting the <form-login-page> property
> > under the <login-config>
> > section. When a user hits a protected URL in a context, if they are not
> > already authenticated, the original
> > request page is saved in their session, then they are redirected to the
> > login page, if the login
> > succeeds, they are redirected to their original request page.
> > A problem happens however, when a user requests JUST the login page. After
> > logging in,
> > there is nowhere to redirect the user to since their is no original request
> > saved in the session.
> >
> > What if there was a concept of a "default login target"? so that when a user
> > requests just the
> > designated login page, if they are already authenticated, they get
> > redirected to the "default login target"
> > page. Similarly, if a user requests the login page but they are not
> > authenticated, upon logging in they
> > would get redirected to the "default login target".
> >
> > I realize that this is probably not in the JSP spec, but something like this
> > seems to be necessary.
> > The alternative is to look for the presence of a session variable called
> > "tomcat.auth.originalLocation"
> > and set up a default from within the login page if that session variable
> > isn't there.
> >
> > Any thoughts?
>
> Why not supply the default in a hidden field on the login page?
>
> --
> Andy Armstrong, Tagish
FWIW, I guess I could see some small convenience in a target-fail and
target-succeed context parameter. I guess I if I had multiple entry
points into my application, such as a more complex manual authentication
routine within a different application or something, I could also grab
these values for all successful or failed attempts to access the system.
I guess it would let me standardize my authentication result pages and
have them listed in one single place, which means I would probably name
them "auth-fail-target" and "auth-succeed-target" rather than making
them login-specific. Then again, I could probably implement this same
thing in a dozen other ways or using my own custom context param tags. I
guess my personal feeling is that it probably wouldn't be an obtrusive
feature, and many users may in fact find it convenient. My main
objection would be that it is adding non-spec features, which means that
any apps written under Tomcat would not cleanly port to other
spec-compliant servlet containers.
Just my $.02.
- Christopher
