> -----Original Message-----
> From: Michael Jennings [mailto:[EMAIL PROTECTED]]
> Sent: Thursday, June 21, 2001 11:55 AM
> To: [EMAIL PROTECTED]
> Subject: Re: FORM-based authentication idea
>
>
> > The best way to think about form-based login is like this:
> >
> > * The login page is (in essence) part of the container,
> > not the application. Therefore, ...
> >
> > * The login page should *never* be referenced directly by any
> > other application page, and ...
> >
> > * The login page should *never* be requested directly by the
> > user.
>
> How do you enforce that a particular URL should never be
> asked for by a
> user?
Installing it under WEB-INF is one way. The container will then enforce the
prohibition. However, in general, not publishing the URL anywhere is
probably sufficient. It's not as though with form based login that the user
ever has to see the URL of the login form.
-SMD
<><><><><><><><><><><><><><><><><><><><><>This electronic mail transmission
may contain confidential information and is intended only for the person(s)
named. Any use, copying or disclosure by any other person is strictly
prohibited. If you have received this transmission in error, please notify
the sender via e-mail. <><><><><><><><><><><><><><><><><><><><><>
