Status 400 - Invalid direct reference to form login page
The above error is generated when a user bookmarks the login page on
an application server where container managed security is used.
Does anyone have an elegant way of dealing with this error?
Putting a note on the login page saying, “Please don’t bookmark me.”
is obviously inelegant.
There does not seem to be a work around because j_security_check must
be called from the container. All my attempts to call
j_security_check directly failed. My attempts to create a filter
also failed because I could not find a differentiator in the request
between a “bad” call to the login page and a “good” call.
I could force entry through an intermediate page by creating an
error-page entry in the web.xml:
<error-page>
<error-code>400</error-code>
<location>intermediatePage.jsp</location>
</error-page>
The intermediate page could have a link to a protected entry point
(from which the container would call the login page). But, “Status
400” is a general bad request, not necessarily this specific bad
request.
Note: If your <location> is a protected resource and you forward a
user to that location by creating an error-page reference in web-xml,
the user will get to the protected page, but not be authenticated.
It seems that authentication is only invoked when it comes through a
browser not through a forward or redirect.
Actually, it seems that the only answer is to junk the container
managed security wired into Tomcat and use the SecurityFilter project
at SourceForge or write my own.
Any thoughts?
__________________________________________________
Do you Yahoo!?
Yahoo! Platinum - Watch CBS' NCAA March Madness, live on your desktop!
http://platinum.yahoo.com
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
