Thanks mech, that's very interesting, however, i simply just can't believe that there are Tomcat instances out there in a live production environment with configured realms that suffer from this problem. Surely there must be something.... ----- Original Message ----- From: "mech" <[EMAIL PROTECTED]> To: "'Tomcat Users List'" <[EMAIL PROTECTED]>; "'Ben Jessel'" <[EMAIL PROTECTED]> Sent: Tuesday, December 17, 2002 12:57 PM Subject: RE: Workaround for login page direct reference
> Some more ideas... > > In my application I never have a direct link to the login.jsp. > Try to link either to any file that will be accessed after login (e.g. > content.jsp) or link only to the secure directory that you mapped and > let the welcome-file redirect link to index.jsp or whatever. > > Doesn't solve the back button issue (check tomcat bug list), doesn't > prohibit users to bookmark the login.jsp, but improves usability at > least a bit by avoiding some opportunities to get errors. > > For your intermediate page thing I would suggest looking into using > filters. Unfortunately nothing can prohibit the anyone from using the > browser back button and try to relog again because in that back button > case the login.jsp isn't even loaded again; so you can't even check for > that error by any means. > > Michael > > > -----Original Message----- > > From: Ben Jessel [mailto:[EMAIL PROTECTED]] > > Sent: Dienstag, 17. Dezember 2002 13:43 > > To: Tomcat Users List > > Subject: Re: Workaround for login page direct reference > > > > > > Thanks Mike, > > > > I guess, another workaround is that you could just invalidate > > their session if they go to the login page.... Now, I still > > don't see how all this is going help that "direct reference > > to login page"....as it seems that I get this error if I go > > to login.jsp and then enter in my details..... > > > > - Say the user goes to xxxx/login.jsp directly.... > > - If we've protecteed that page Tomcat goes, no - "that's a > > protected resource", and forwards to xxxx/login.jsp > > Otherwise, tomcat just goes to the login page. > > - You enter the user details, and then tomcat tries to > > forward to the page you came from ( i.e login.jsp ), but > > detects this is invalid ( presumably by comparing against > > <login-page> in the web.xml, and displays an error - "direct > > reference to login page".... > > > > What I'd really, really, like, is some way of having an > > intermediate page where I can check the requestURI to find > > out what page tomcat is going to redirect me *after* login, > > so tomcat would give me > > login.jsp?page_to_forward_to=blah.jsp... but alas, I don't > > think I can... > > > > ----- Original Message ----- > > From: "Mike W-M" <[EMAIL PROTECTED]> > > To: "Tomcat Users List" <[EMAIL PROTECTED]> > > Sent: Tuesday, December 17, 2002 11:28 AM > > Subject: Re: Workaround for login page direct reference > > > > > > > I'm going to have to sort this myself in the near future, > > but I don't > > quite > > > see how the fact that you can forward to the protected resource is > > > going > > to > > > help? Isn't Tomcat going to automatically redirect (not > > forward - the > > > distinction is important since redirecting will result in the login > > > page's URL showing up in the browser's address bar) to the > > login page you've > > > configured? Actually... since redirecting causes the > > browser to initiate > > a > > > new request (for your WEB-INF/login page in this case), > > won't you get > > > a 404-type error? > > > > > > Someone posted in a similar thread the other day that they > > intended to > > check > > > a couple of things in the login page: > > > 1. request.getRequestedSessionId() is *NULL* and > > > 2. There is *NO* cookie named "JSESSIONID" > > > I think the theory was that these would both be true on the first > > > occasion the login page was accessed, but that if the user > > was already > > authenticated > > > then the conditions wouldn't hold so the page should > > redirect to the > > > index page. It's not nice to be relying on a cookie name > > (what if they > > > change it > > between > > > versions, or if cookies are turned off (though I'm not sure the > > > authentication works then anyway!)?) but I'm inclined to > > move in that > > > direction when it's my turn.... > > > > > > Mike. > > > > > > > > > > > > ----- Original Message ----- > > > From: "Ben Jessel" <[EMAIL PROTECTED]> > > > To: "Tomcat Users List" <[EMAIL PROTECTED]>; "Brett M. > > > Bergquist" <[EMAIL PROTECTED]> > > > Sent: Tuesday, December 17, 2002 10:55 AM > > > Subject: Re: Workaround for login page direct reference > > > > > > > > > I'll give that a go. > > > > > > Thanks > > > > > > Ben > > > ----- Original Message ----- > > > From: "Brett M. Bergquist" <[EMAIL PROTECTED]> > > > To: "Tomcat Users List" <[EMAIL PROTECTED]>; > > "Ben Jessel" > > > <[EMAIL PROTECTED]> > > > Sent: Monday, December 16, 2002 8:54 PM > > > Subject: Re: Workaround for login page direct reference > > > > > > > > > > Ben, I'm not sure but I believe that I've seen mention > > that you can > > > forward to a page that is not accessible to the outside. That > > > > is, put the Login.jsp page within WEB-INF of your web app and it > > > > will > > not > > > be available to the outside world but you can forward to > > > > it from inside the web app. > > > > > > > > I don't know if this will work because I have not tried it but it > > > > might. > > > > > > > > Brett > > > > > > > > > > .. > > > > > > > > > -- > > > To unsubscribe, e-mail: > > <mailto:[EMAIL PROTECTED]> > > > For additional commands, e-mail: > > <mailto:[EMAIL PROTECTED]> > > > > > > > > > > > > -- > > To unsubscribe, e-mail: > > <mailto:tomcat-user-> [EMAIL PROTECTED]> > > For > > additional commands, > > e-mail: <mailto:[EMAIL PROTECTED]> > > > > -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>