-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Andrew,
Andrew R Feller wrote: > I'm sorry but maybe I am reading a different version of the servlet > specification than you: it only explains the case where you access a > container-managed resource and then login. That would be the only case covered by the servlet specification. Your question about what happens when drive-by logins are attempted (trying to submit directly to j_security_check with no prior request for a protected resource) can easily be answered by trying it: you'll find that Tomcat responds with either a 404 NOT FOUND error or something else entirely unhelpful. The specification only provides for a request / challenge / authentication / re-process request cycle. Anything else the servlet container chooses to support is outside of the specification. Since Tomcat does not implement anything outside the specification in this area, there is no further documentation to provide. > The question I had was what happens when you directly request the > login form and successfully login. As you never requested a > container-managed resource, then how does it know where to send you. Not only will it not know where to send you, but it will not work at all. If you want to do unsolicited logins, you will need to use a 3rd-party authentication scheme like securityfilter or ACEGI. > David Smith atleast understood it well enough to answer with the > thought that the servlet container wouldn't allow you to access the > login form directly. I understood. Perhaps my reply was terse, but anything not covered by the servlet specification should be considered undefined behavior by definition. I was trying to point that out, perhaps a bit too subtly. - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFHM3pk9CaO5/Lv0PARAhzTAKCnK8uLLP1FMcWD50WQ3penMLFKPwCgq4rA gNMqGdTMdSjFRA7CFHe8dUw= =24DQ -----END PGP SIGNATURE----- --------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
