You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@tomcat.apache.org by Brad Rhoads <br...@zethcon.com> on 2002/07/17 20:44:55 UTC

How to specify j_security_check success target

When using FORM security, your logon page must post to j_security_check. If
the logon fails, then you end up at the page specified in
<form-errror-page>. From what I understand, if the logon is successful,
you'll be sent to what ever page you initially requested. Correct?

If so, how do I override that behavior? Let's say after a logon I always
want the user to go to mainmenu.jsp.

<login-config>
      <auth-method>FORM</auth-method>
      <realm-name>Example Form-Based Authentication Area</realm-name>
      <form-login-config>
        <form-login-page>/jsp/security/protected/login.jsp</form-login-page>
        <form-error-page>/jsp/security/protected/error.jsp</form-error-page>
      </form-login-config>
 </login-config>


--
To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>

RE: How to specify j_security_check success target

Posted by Brad Rhoads <br...@zethcon.com>.

>The basic flow is designed to go like this:
>- User makes a request for a URL
>- Container sees that this URL is protected by a security constraint
>- Container saves the original request and displays the login page
>- Assuming successful authentication, the container
>  performs the *original* request.

>There's no
>such thing as "directing the user to a particular page" in this scenario

Sounds like my understanding was correct. So let me explain what I need and
perhaps you could suggest an approach to take.

My app has it's own security system where I set some session vars at logon.
I check for one of them in my template page and in my struts ActionServlet.
That all works fine. But now I need to protect non-jsp pages, like PDFs. So
I want to use JDBCRealm security. The problem I'm left with is setting up
all the session vars I'm currently doing in my logon action. That's why I
wanted some way to specify the target page.

Hmmm... Right now, if the session var is missing, I redirect to the logon
page. I guess I could change that to a setsessionvar page instead. Because
with the container security on, the only way the session var check could
happen would be if the user had been authenticated.  Right? Does that make
sense or is there a better approach?





--
To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>

Re: How to specify j_security_check success target

Posted by "Craig R. McClanahan" <cr...@apache.org>.


On Wed, 17 Jul 2002, Brad Rhoads wrote:

> Date: Wed, 17 Jul 2002 13:44:55 -0500
> From: Brad Rhoads <br...@zethcon.com>
> Reply-To: Tomcat Users List <to...@jakarta.apache.org>,
>      brhoads@zethcon.com
> To: 'Tomcat Users List' <to...@jakarta.apache.org>
> Subject: How to specify j_security_check success target
>
>
> When using FORM security, your logon page must post to j_security_check. If
> the logon fails, then you end up at the page specified in
> <form-errror-page>. From what I understand, if the logon is successful,
> you'll be sent to what ever page you initially requested. Correct?
>
> If so, how do I override that behavior? Let's say after a logon I always
> want the user to go to mainmenu.jsp.
>
> <login-config>
>       <auth-method>FORM</auth-method>
>       <realm-name>Example Form-Based Authentication Area</realm-name>
>       <form-login-config>
>         <form-login-page>/jsp/security/protected/login.jsp</form-login-page>
>         <form-error-page>/jsp/security/protected/error.jsp</form-error-page>
>       </form-login-config>
>  </login-config>
>

You're trying to use form based login incorrectly.

The basic flow is designed to go like this:
- User makes a request for a URL
- Container sees that this URL is protected by a security constraint
- Container saves the original request and displays the login page
- Assuming successful authentication, the container
  performs the *original* request.

If it still doesn't make sense, temporarily switch your app to use BASIC
authentication (where the browser pops up the dialog box).  There's no
such thing as "directing the user to a particular page" in this scenario.
Form based login is designed to work exactly the same (from a user
experience point of view) with the sole exception being that your login
page is used instead of the browser's dialog box.

Craig


--
To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>