I'm going to have to sort this myself in the near future, but I don't quite see how the fact that you can forward to the protected resource is going to help? Isn't Tomcat going to automatically redirect (not forward - the distinction is important since redirecting will result in the login page's URL showing up in the browser's address bar) to the login page you've configured? Actually... since redirecting causes the browser to initiate a new request (for your WEB-INF/login page in this case), won't you get a 404-type error?
Someone posted in a similar thread the other day that they intended to check a couple of things in the login page: 1. request.getRequestedSessionId() is *NULL* and 2. There is *NO* cookie named "JSESSIONID" I think the theory was that these would both be true on the first occasion the login page was accessed, but that if the user was already authenticated then the conditions wouldn't hold so the page should redirect to the index page. It's not nice to be relying on a cookie name (what if they change it between versions, or if cookies are turned off (though I'm not sure the authentication works then anyway!)?) but I'm inclined to move in that direction when it's my turn.... Mike. ----- Original Message ----- From: "Ben Jessel" <[EMAIL PROTECTED]> To: "Tomcat Users List" <[EMAIL PROTECTED]>; "Brett M. Bergquist" <[EMAIL PROTECTED]> Sent: Tuesday, December 17, 2002 10:55 AM Subject: Re: Workaround for login page direct reference I'll give that a go. Thanks Ben ----- Original Message ----- From: "Brett M. Bergquist" <[EMAIL PROTECTED]> To: "Tomcat Users List" <[EMAIL PROTECTED]>; "Ben Jessel" <[EMAIL PROTECTED]> Sent: Monday, December 16, 2002 8:54 PM Subject: Re: Workaround for login page direct reference > Ben, I'm not sure but I believe that I've seen mention that you can forward to a page that is not accessible to the outside. That > is, put the Login.jsp page within WEB-INF of your web app and it will not be available to the outside world but you can forward to > it from inside the web app. > > I don't know if this will work because I have not tried it but it might. > > Brett > ... -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>