On Wed, 22 May 2002, Victor Hadianto wrote: > Date: Wed, 22 May 2002 10:46:38 +1000 > From: Victor Hadianto <[EMAIL PROTECTED]> > To: Craig R. McClanahan <[EMAIL PROTECTED]> > Subject: Re: tomcat.auth.originalLocation with Tomcat 4.X > > > IMHO, you are trying to misuse form-based authentication. > > > > The servlet spec requires that the container cache the *original* request > > that triggered the authentication, and then replay it after the user is > > successfully identified. From the user experience point of view, it > > works exactly like BASIC authentication does: > > > > * User submits a request for a protected URI > > > > * Container "pops up" the username/password dialog > > This is where the problem arises. When the container "pops up" the > username/password dialog in the form based authentication it directs the > user to the login page. Thus the url in the browser have the > http://host/login.jsp
Originally, Tomcat 4 did an internal forward to the login page, rather than a redirect, so that this wouldn't happen. Unfortunately, we got deluged with bug reports that said images on the login page didn't work -- because they were being resolved against the original request URI instead of that of the login page. You can't win sometimes ... :-( > Now my problem is if the user bookmark this page then the next time he/she > decided to use the bookmark he/she will go directly to the login page. > > > level code. Reliance on this feature locks you in to that particular > > version of Tomcat -- it's not portable to Tomcat 4 or to any other > > servlet container in the world. > > Well didn't I learn the hard way :D. > > So ... you reckon the only solution for me is to use my own authentication > mechanism? Either that or train your users to "don't do that". > -- > Victor Hadianto Craig ------------------------------------------------------- -- Victor Hadianto -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>