-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Sreyan,
On 8/31/15 1:39 PM, Sreyan Chakravarty wrote: > First of all I did read the Servlet Spec, it provided no hint as to > what I was doing wrong. > > So you are saying that I can't have a login form on the page when > the welcome page ? Why not ? Tons of site have just that, like > Twitter and Facebook. It seems weird why I can't have it on my > welcome page. Oh, you can do it, but you'll have to implement it yourself. Go re-read the spec's section on how FORM authentication works. Note that you are required to attempt to access a protected page before being asked for authentication. I think it's a big hole in the spec that should be filled, but anything Tomcat would do for you here is, by definition, out-of-spec. > And wait a minute. You are telling me that I have to first point my > web browser to /teacher/success.jsp and then when I get the login > page and login ? Yes. > What can't I do the following-: > > First login from the login page and then go to success.jsp? You sure can do that, but you can't use j_security_check as yourPOST target. Instead, you have to write your own Servlet and then (probably) call HttpServletRequest.login() from there, then redirect the user to wherever you want them to go. > Why do I have to first hit an auth error and then be redirected > back to login and then provide my user/pass combo ? This is spec-defined behavior. > So how do you code a login module ? Where I can login first and > then go to my resources ? What's a "login module"? > This is indeed weird. It's a (giant, gaping) hole in the spec. Inconvenient, maybe. But certainly not weird. Servlet 3.0 added the HttpServletRequest.login() method would improved the situation greatly: you can implement your own login handler that plugs-into the authentication services of the container. It's just that the container doesn't handle any redirection to a login page (none is required) or credential capturing (easily done with a servlet). Really the only thing the servlet spec is missing is a setting in <form-login> like <default-landing-page> or something like that, so that if you try to login with j_security_check and you hadn't already requested a protected resource, the container knows where to send the user after authentication. - -chris -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJV5JOeAAoJEBzwKT+lPKRYwSgQAJAARzjHnDqMXY9QexbBpyrZ DSZSxqCRljdHtnEEuBjlLfT8FRUATIU3g0rHZ99SQSXhgYojfvCZ7WalO3izxu6o NvmbptcCo/rASOvVqtVYpTu1ONhSgGu/v0fZ7maZksMlb0yXUSHpM5EeUucU92NK AEnZElXlV+6yf2arN9R5L80lZHxioF5tUkS1RoqYsBr3+1KuS1DzfVVO2NKzPLiK L03QVRCGdDtln66m6lrbPNjgzhMK3HvqMiHAPuED5sTMAha8uk5HTZfM855ojuY4 x8whD7X/6JjTemLue1pzd1CfSGx+EDxrgxgOscFyA4PK0zy8vQWnsnb5MAjKtvdw +8oHg445RDoYG6BYJ1ZXbTmft9APN37PCeyxzKcGEv0sEzj4q5XRIr8oNiXi74mf 8CQ1QsFv6tlMHysLk/3Tj53AwscZ59xnovjH5lUJqGDi8v6uIojhCOAwzG5UBQF0 JHq6Nd295a3Qp9XTj0WCyDJ6gHyDlzNMivI/dJzkaHOSeyML/hSfYSKKEL1vaOOO OECSLWqCWiXztOCNCbHvT5YINSmzqV1hdqoPEdSQyLlVbeHrK6vrZVAFpoqoxOOp ZaliFI6FTZkyiz3KE6pUjMR6PSiiTwK5GW/xhiI2ky5tcBgv4y8ZHXDiTOmchFt4 M5Rksa1BFd+fVbV0tn6m =u/HP -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
