Form based authentication in 4.0b2

["Mark.Abbott" <Ma...@openwave.com>]

I have a question regarding the interaction between
browsers and the implementation of form based authentication
in Tomcat 4.

Let's say that a webapp sets its login page to the
document /app/login/login.jsp.  If one requests a protected 
document named, for example, /app/jsp/main.jsp, the container 
internally directs that request to the login page; the 
browser then displays the login page but the browser thinks
it is displaying /app/jsp/main.jsp as requested.  So any
relative URLs in the login page are broken as the browser will
try to fetch them relative to the main.jsp document.

OK, so maybe I can see why that is needed in order to have a
session to store the original request data in, and one can use 
only absolute URLs in a login page in a pinch.  But when the 
login form is posted back to the action /app/j_security_check,
the same kind of internal switch is made back to the original 
request for main.jsp, which causes all the relative URLs in main.jsp
to be broken since the browser now thinks it is displaying the 
document /app/j_security_check.  Moreover, the browser location
window displays the URL /app/j_security_check, which really ought
to be an internal detail of the application.  It seems like a 
real redirect ought to be made to the originally requested 
resource once the user has authenticated.

In a related issue, the most basic usage of the security 
constraints in an app would be to restrict access to all
resources by default and then open up access for just those
resources (images, style sheets) needed to display the login page.  
But when I try that kind of configuration, the login page cannot 
get its resources.  Instead, I have to leave the app open by default
and restrict particular resources.  Is this the purposeful 
behavior?

    Thanks! Mark