-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Sreyan,
On 8/31/15 3:20 PM, Sreyan Chakravarty wrote: > Ok I found FormAuthenticator and landingPage attribute in it in the > source. You shouldn't need to look at the source. > But how do I use that in my application ? What do I do ? You configure the FormAuthenticationValve in your application's META-INF/context.xml file. http://tomcat.apache.org/tomcat-8.0-doc/config/valve.html#Introduction The intro says you can configure any Valve in any of the following "Catalina container[s] (Engine, Host, or Context)." Just make it a new child of the <Context> element you should already have. > Any documentation for this ? Just what you have already read: <Context> <Valve className="name.of.valve.class" ... other configuration attributes ... /> </Context> - -chris > On Tue, Sep 1, 2015 at 12:46 AM, Sreyan Chakravarty < > sreyan.mail...@gmail.com> wrote: > >> Well Christopher thanks for that eye opener. I didn't know that >> the specs were so inconsistent. >> >> Okay now regarding your comment-: >> >> "Servlet 3.0 added the HttpServletRequest.login() method would >> improved the situation greatly: you can implement your own login >> handler that plugs-into the authentication services of the >> container. It's just that the container doesn't handle any >> redirection to a login page (none is required) or credential >> capturing (easily done with a servlet)." >> >> How do you implement your own login handler and how do you plug >> that into Tomcat Auth services. Can you provide some info as to >> how I would do that ? >> >> And what is the extension to FORM Authenticator that Mark is >> talking about ? >> >> Also correct me if I am wrong, then the page that I use to login >> and the page that will contain j_security_check as an action must >> be two different pages. >> >> Also can I have two <login-config> elements in my web.xml ? >> >> On Mon, Aug 31, 2015 at 11:19 PM, Christopher Schultz < >> ch...@christopherschultz.net> wrote: >> > Sreyan, > > On 8/31/15 1:39 PM, Sreyan Chakravarty wrote: >>>>> First of all I did read the Servlet Spec, it provided no >>>>> hint as to what I was doing wrong. >>>>> >>>>> So you are saying that I can't have a login form on the >>>>> page when the welcome page ? Why not ? Tons of site have >>>>> just that, like Twitter and Facebook. It seems weird why I >>>>> can't have it on my welcome page. > > Oh, you can do it, but you'll have to implement it yourself. Go > re-read the spec's section on how FORM authentication works. Note > that you are required to attempt to access a protected page before > being asked for authentication. I think it's a big hole in the spec > that should be filled, but anything Tomcat would do for you here > is, by definition, out-of-spec. > >>>>> And wait a minute. You are telling me that I have to first >>>>> point my web browser to /teacher/success.jsp and then when >>>>> I get the login page and login ? > > Yes. > >>>>> What can't I do the following-: >>>>> >>>>> First login from the login page and then go to >>>>> success.jsp? > > You sure can do that, but you can't use j_security_check as > yourPOST target. Instead, you have to write your own Servlet and > then (probably) call HttpServletRequest.login() from there, then > redirect the user to wherever you want them to go. > >>>>> Why do I have to first hit an auth error and then be >>>>> redirected back to login and then provide my user/pass >>>>> combo ? > > This is spec-defined behavior. > >>>>> So how do you code a login module ? Where I can login first >>>>> and then go to my resources ? > > What's a "login module"? > >>>>> This is indeed weird. > > It's a (giant, gaping) hole in the spec. Inconvenient, maybe. But > certainly not weird. > > Servlet 3.0 added the HttpServletRequest.login() method would > improved the situation greatly: you can implement your own login > handler that plugs-into the authentication services of the > container. It's just that the container doesn't handle any > redirection to a login page (none is required) or credential > capturing (easily done with a servlet). > > Really the only thing the servlet spec is missing is a setting in > <form-login> like <default-landing-page> or something like that, > so that if you try to login with j_security_check and you hadn't > already requested a protected resource, the container knows where > to send the user after authentication. > > -chris >>> >>> -------------------------------------------------------------------- - - >>> >>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >>> For additional commands, e-mail: users-h...@tomcat.apache.org >>> >>> >> > -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJV5c7LAAoJEBzwKT+lPKRYBkoP/RCzs3LjRGedna+GYX1KP7nD eeQseNjfe+nCC9w0hkUUklTxA7ikC92IJHxfoBNKOwjEzIBBrT1stoR1rwUAjMRp dBZ44EjxybDYHQgCJkLdFQXD0q3+SH4kYDguVNJNSl8vpYQ4ehTj7RDV0mlf7USz rLgwZ/4WZh/QU3VMf0R+xYbnz/nkbzAMiIn9ZGMa/R26tBWT1AEWbP7ntGw6qFgM i4FhElMb21cJYSrU6eAvTvJpJR97ziBnCLauZxBmfiioIH09iutXqrG8F/q3Ou42 9mBEPCqYTwj6ZznSX5nXbujllNTdtSJNfZUfuCLRgV+fzEhfYuDflnptIPDMjg/9 HH1WCozm/sAvLh/z3Gn0uPpALhTzT0b4rHlH8rksJqZlQ/0vaEO14HQgvhe3/DbM DCo8MCU/QTq7CILd1eB1l4kfiIDkc4XFUxYkdnUWCwvLelWWRMUB3Zd5B9gYefdK iJ3ivzwwd5GJURb/S+KAucJCHaN6gIkLE3z3IIb/Q/LUsc1AT+8mdwCMeExsr7N2 5wg9B64SviroD3Ab86lL/8MVan525YGuM/h4xUjn5v90Nv7Bm+9jZBCA3M1/FzbW XrrH5lFs/E4LJKOCGbM8sLNUbsYoa6nN1WI3XHovJkgnKnaVhA24MmEE0dN1GvDf P3TvUkHPDy2+b6MfN/x9 =FCGh -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org