Nicholas Sushkin wrote: > On Thursday 08 November 2007, you wrote: > >> The question I had was what happens when you directly request the login >> form and successfully login. > > Tomcat will give you an error page saying something along the lines "the > login page was accessed directly". It won't let you login successfully. > Tomcat does not know where to redirect you. >
Easiest way to prevent direct access of the login page is to put it somewhere inaccessible, like "WEB-INF/login/form.jsp". Tomcat authentication valves will still forward to the page, but it won't be available to request. It still won't prevent attempts to access the submission URL (j_security_check) directly, which causes the 'invalid direct reference to login form' error that has been referred to, earlier in the thread. This is usually the result of requesting a protected page, then not submitting the form until session timeout has occurred, after which the original saved request may have been purged. There's another variation, where "/protected/resource/j_security_check" is accessed as by GET and is assigned as the url of the saved request which on restore, produces a 404. I've seen this in our logs, but am not sure how it occurs. p --------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]