On Tue, Apr 13, 2021 at 9:22 PM Tim K <tim.k.5...@gmail.com> wrote: > > On Fri, Apr 9, 2021 at 7:48 AM Tim K <tim.k.5...@gmail.com> wrote: > > As mentioned in that url, doing a pre-login of sorts before calling > > HttpServletRequest.login() may be a workaround to accomplish this, but > > then I would need to call my backend authentication service twice for > > each login. > > > > -Tim > > I've been looking into this further. Is it possible to completely > disable or change the URL for the "j_security_check" to something else > while still keeping form-login? I want to write my own servlet to > perform the login via HttpServletRequest.login() instead of putting > the password verification logic in the realm so that I have scope to > the request to display custom error messages back to the user. I'll > want the realm to be very generic, almost just creating a Principle > for anything that hits it, but I want to ensure my custom login is the > only thing that performs the login() for obvious reasons. > > -Tim
Bringing back this one as I never got any bites on it. I'm still faced with figuring out a solution. If I only want to programmatically login the user via HttpServletRequest.login(), how could I prevent users from just directly POST-ing to j_security_check on their own and bypassing my own login action? --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
