Christopher Schultz wrote: > Pid, > > Pid wrote: >> There's a couple of things that may be confusing the config below, which >> have some simple corrections. > >> I usually place "login.jsp" and "error.jsp" in "WEB-INF/login/", where >> they are protected from unwanted attention by default - this avoids the >> need to protect them with a security-contstraint. > > Agreed. I've found that when using Tomcat to serve static content, these > things tend to happen. The reason is that Tomcat saves the first > unauthorized request and then repeats it after successful > authentication. If the last request was for something like a CSS file > (say, because the CSS file was protected, but the main page wasn't), > then you'll end up being served the CSS file after login. It can be very > disorienting. > >> Tomcat returns the *first* file you requested inside the secured area >> after authentication is completed. So for some reason your browser is >> requesting a script or CSS file before the JSP page. > > For some reason, I thought it was the most recent request it saved. > First makes more sense; thanks for mentioning it.
I have an app with a page which contains a flash object (displays a nice graph) that calls a groovy script periodically to get data. If the user session times out in between requests for the script then when it's requested it's the first one after de-auth, so it becomes the target that is re-established after re-login, (obviously not useful for users). I've been attempting to stop the periodic request by monitoring the session period, but haven't had time to properly address it yet. :( p > -chris > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org