First of all I did read the Servlet Spec, it provided no hint as to what I was doing wrong.
So you are saying that I can't have a login form on the page when the welcome page ? Why not ? Tons of site have just that, like Twitter and Facebook. It seems weird why I can't have it on my welcome page. And wait a minute. You are telling me that I have to first point my web browser to /teacher/success.jsp and then when I get the login page and login ? What can't I do the following-: First login from the login page and then go to success.jsp ? Why do I have to first hit an auth error and then be redirected back to login and then provide my user/pass combo ? So how do you code a login module ? Where I can login first and then go to my resources ? This is indeed weird. On Mon, Aug 31, 2015 at 10:55 PM, Christopher Schultz < ch...@christopherschultz.net> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > Sreyan, > > On 8/31/15 12:34 PM, Sreyan Chakravarty wrote: > > Wait I am sure I am going wrong in a fundamental area. > > > > My security constraint is as follow-: > > > > <security-constraint> <web-resource-collection> > > <web-resource-name>TECHERS</web-resource-name> > > <url-pattern>/teacher/success.jsp</url-pattern> > > <http-method>GET</http-method> <http-method>POST</http-method> > > </web-resource-collection> > > > > <auth-constraint> <role-name>TEACHER</role-name> > > </auth-constraint> </security-constraint> > > > > <login-config> <auth-method>FORM</auth-method> <form-login-config> > > <form-login-page>/index.jsp</form-login-page> > > <form-error-page>/index.jsp?error=true</form-error-page> > > </form-login-config> </login-config> > > > > <security-role> <role-name>TEACHER</role-name> </security-role> > > > > Now let me tell you what I understand from this-: > > > > > > - The <web-resource-collection> /teacher/success.jsp is protected > > via a FORM login page that is index.jsp - Therefore the page after > > login which the user will land to is /teacher/success.jsp. I don't > > need to specify that elsewhere. - <form-login-page> element > > designates the login page. - <form-error-page> element designates > > the page to go to if login has failed. > > > > This is my understanding of the whole process. Please don't tell me > > that I have to put <form-login-page> as /teacher/success.jsp. If so > > then where do I designate the login page ? > > > > Forgive my noobishness. Just starting out with servlet security. > > With your above configuration, you have to point your web browser at > https://yourhost/teacher/success.jsp > > This will cause Tomcat to send you to the login page, and you can ener > your username and password. Once you enter the right username and > password, Tomcat will actually send you to /teacher/success.jsp > > You really should read the Servlet Spec's section on authentication. > In fact, read the whole spec. It's quite readable and if you are going > to be writing web applications, you really ought to have read it. > > - -chris > -----BEGIN PGP SIGNATURE----- > Comment: GPGTools - http://gpgtools.org > > iQIcBAEBCAAGBQJV5I30AAoJEBzwKT+lPKRYNvUQAIQOP8ShOVFnGkia8kAE2HMO > mDbr7f54havmRECpC2mCbxvIr3YphXMcDBZJpmuD1IS6ybNIa0hzvX/L2hSmxBYA > l2oDgInsm+jX+ndkHfZMtKcYp0Fku1Zg4VbSI13z+kTxObBd3tMN0ngkWGqO8YJC > 4lwV62ho+wx0Xg9r7tpHgqjYfLGDBwJiKkKyG47FNbDtkZFp/BukVMY2QJWKwDuj > Jb68wQ90jL4xBBLP6zCaJwpNXYjawAdJCCnFJkm90/6DhGzybnWMMQ736CVYdV/T > 64npEeglSytj/KUJlzsO5aCEMK5CZi13D2CYYP2Svh/bGvrlUoHn3sGuAScavgn5 > NKT5KdyiXkvXV5YOghTaycje9pXBUkQmhHsIWFMj1vuJOU8E0X+Rl+MJ2fSGrgic > D0x/zM58pUAPKnA2TD8xcUwLCDSo4akqCt64OPZNmM+i2hi2wXYVF4xfKBUD39GV > oau/MeEj4c8xYHoswC/vC3X1Ol2a3Kliubbb1owXIQUEzILCPFf8tfB/awFMwVDj > SfYR7nFtPvkHygqVY15Q38w3bxmobwlV/6Zb4mpmPER/OLQuWfNbdT7z/qVIZ53G > FSOaFfsWOgFFD3mjn1IUezVOjTUSpaTRU5xCIoM6LC7XdOxYLTMFKIyk1rjEEWbh > 0+wJHnsU1MbmxszEHMxd > =5ou+ > -----END PGP SIGNATURE----- > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >