Thank you Chuck, Matthias; I appreciate the direction. The reasons why I ask are:
1. There were no apparent connections between requesting a container-managed resource, logging in via the form-login-page, and receiving the originally requested container-managed resource. 2. Little documentation on j_security_check from vendors; just assumes people know it is part of the servlet specification. 3. It is unclear what happens in the event when a user requests the form- login-page directly instead of going through a container-managed resource. How does j_security_check know where to redirect the user once he has authenticated successfully? 4. I appreciate understanding exactly what is going on in a system. Andrew R Feller, Analyst Subversion Administrator University Information Systems Louisiana State University [EMAIL PROTECTED] (office) 225.578.3737 -----Original Message----- From: Reich, Matthias [mailto:[EMAIL PROTECTED] Sent: Thursday, November 08, 2007 12:08 PM To: Tomcat Users List Subject: RE: j_security_check redirect after login You should also have a look at /org/apache/catalina/authenticator/FormAuthenticator.java In this class you can find the details about how requests are saved and restored. When I once digged into the details I wondered whether it is correct to restore all the headers of the original request. E.g., if a user clears the browser cache while the browser shows the login dialog, the resubmit of the original request will not include an 'if-modified-since' header, which was available in the stored request. In such a situation the servlet will see the header from the original request and could decide to return NOT MODIFIED status. The servlet spec does not tell you if this is correct behavior or not, but it may be interesting to know about this behavior. (And that's why we like open source projects where we can look how it really works :-) Regards, Matthias -----Original Message----- From: Caldarale, Charles R [mailto:[EMAIL PROTECTED] Sent: Thursday, November 08, 2007 6:02 PM To: Tomcat Users List Subject: RE: j_security_check redirect after login > From: Andrew R Feller [mailto:[EMAIL PROTECTED] > Subject: j_security_check redirect after login > > How does j_security_check know where to redirect users to after they > have logged in? Read the servlet spec; to quote from SRV.12.5.3.1: "If the form based login is invoked because of an HTTP request, the original request parameters must be preserved by the container for use if, on successful authentication, it redirects the call to the requested resource." Unless you are going to muck around with Tomcat internals, what difference does it make how the above is accomplished? > nor am I able to find out where in the Tomcat source > code j_security_check is declared or invoked. Start with org/apache/catalina/authenticator/AuthenticatorBase.java, in the invoke() method. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. --------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]