You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Ben Jessel <be...@morpheme.co.uk> on 2002/12/16 17:14:45 UTC
Workaround for login page direct reference
Hi,
I've got a realm set up on Tomcat. It works fine - whenever I go to a
protected page, I am forwarded to the login.jsp page.
However, if I go to the login.jsp page directly and fill in my details I get
"Invalid direct reference to form login page". not surprising really as
tomcat would get itself into an endless cycle.
Now what are the strategies for hiding this page, so a hapless user who goes
directly to the login page and enters his details doesn't get this message.
I'd want to forward them onto the index page. Any ideas? Would I explicity
bar the request of the requesting of the login page using my web server?..I
doubt it, as I reckon tht the realm probably uses a sendRedirect(). I guess
that I could check the refering page...hmm dunno...any ideas?
Thanks
-b
Re: Workaround for login page direct reference
Posted by Mike W-M <mi...@ward-murphy.co.uk>.
Agreed. Don't forget that the beauty of open-source is that we can look at
what Tomcat's doing...
It throws the "invalid reference" error from the FormAuthenticator class, if
no original request details have been saved as an "internal note" within the
session. It doesn't immediately look like it's easy to get access to that
information.
As a last resort, it looks easy to alter that behaviour (assuming one can
manage to recompile Tomcat).
If no-one comes up with a better resolution to the problem (which, like you
say, must be one that's cropped up many times before) then it would seem
smart to try and get the developers to code in something a little more
configurable. [I don't recall the spec says this behaviour is
required, but...]
i.e. it defaults to the current action unless you've specified a
defaultPostLoginPage property of something or other.
Still, the code had Craig's name on the top of it. Hopefully he'll come to
our rescue....
Mike.
----- Original Message -----
From: "Ben Jessel" <be...@morpheme.co.uk>
To: "'Tomcat Users List'" <to...@jakarta.apache.org>
Sent: Tuesday, December 17, 2002 2:16 PM
Subject: Re: Workaround for login page direct reference
Thanks mech, that's very interesting, however, i simply just can't believe
that there are Tomcat instances out there in a live production environment
with configured realms that suffer from this problem. Surely there must be
something....
----- Original Message -----
From: "mech" <me...@rz.fh-augsburg.de>
To: "'Tomcat Users List'" <to...@jakarta.apache.org>; "'Ben Jessel'"
<be...@morpheme.co.uk>
Sent: Tuesday, December 17, 2002 12:57 PM
Subject: RE: Workaround for login page direct reference
> Some more ideas...
>
> In my application I never have a direct link to the login.jsp.
> Try to link either to any file that will be accessed after login (e.g.
> content.jsp) or link only to the secure directory that you mapped and
> let the welcome-file redirect link to index.jsp or whatever.
>
> Doesn't solve the back button issue (check tomcat bug list), doesn't
> prohibit users to bookmark the login.jsp, but improves usability at
> least a bit by avoiding some opportunities to get errors.
>
> For your intermediate page thing I would suggest looking into using
> filters. Unfortunately nothing can prohibit the anyone from using the
> browser back button and try to relog again because in that back button
> case the login.jsp isn't even loaded again; so you can't even check for
> that error by any means.
>
> Michael
>
> > -----Original Message-----
> > From: Ben Jessel [mailto:ben.jessel@morpheme.co.uk]
> > Sent: Dienstag, 17. Dezember 2002 13:43
> > To: Tomcat Users List
> > Subject: Re: Workaround for login page direct reference
> >
> >
> > Thanks Mike,
> >
> > I guess, another workaround is that you could just invalidate
> > their session if they go to the login page.... Now, I still
> > don't see how all this is going help that "direct reference
> > to login page"....as it seems that I get this error if I go
> > to login.jsp and then enter in my details.....
> >
> > - Say the user goes to xxxx/login.jsp directly....
> > - If we've protecteed that page Tomcat goes, no - "that's a
> > protected resource", and forwards to xxxx/login.jsp
> > Otherwise, tomcat just goes to the login page.
> > - You enter the user details, and then tomcat tries to
> > forward to the page you came from ( i.e login.jsp ), but
> > detects this is invalid ( presumably by comparing against
> > <login-page> in the web.xml, and displays an error - "direct
> > reference to login page"....
> >
> > What I'd really, really, like, is some way of having an
> > intermediate page where I can check the requestURI to find
> > out what page tomcat is going to redirect me *after* login,
> > so tomcat would give me
> > login.jsp?page_to_forward_to=blah.jsp... but alas, I don't
> > think I can...
> >
> > ----- Original Message -----
> > From: "Mike W-M" <mi...@ward-murphy.co.uk>
> > To: "Tomcat Users List" <to...@jakarta.apache.org>
> > Sent: Tuesday, December 17, 2002 11:28 AM
> > Subject: Re: Workaround for login page direct reference
> >
> >
> > > I'm going to have to sort this myself in the near future,
> > but I don't
> > quite
> > > see how the fact that you can forward to the protected resource is
> > > going
> > to
> > > help? Isn't Tomcat going to automatically redirect (not
> > forward - the
> > > distinction is important since redirecting will result in the login
> > > page's URL showing up in the browser's address bar) to the
> > login page you've
> > > configured? Actually... since redirecting causes the
> > browser to initiate
> > a
> > > new request (for your WEB-INF/login page in this case),
> > won't you get
> > > a 404-type error?
> > >
> > > Someone posted in a similar thread the other day that they
> > intended to
> > check
> > > a couple of things in the login page:
> > > 1. request.getRequestedSessionId() is *NULL* and
> > > 2. There is *NO* cookie named "JSESSIONID"
> > > I think the theory was that these would both be true on the first
> > > occasion the login page was accessed, but that if the user
> > was already
> > authenticated
> > > then the conditions wouldn't hold so the page should
> > redirect to the
> > > index page. It's not nice to be relying on a cookie name
> > (what if they
> > > change it
> > between
> > > versions, or if cookies are turned off (though I'm not sure the
> > > authentication works then anyway!)?) but I'm inclined to
> > move in that
> > > direction when it's my turn....
> > >
> > > Mike.
> > >
> > >
> > >
> > > ----- Original Message -----
> > > From: "Ben Jessel" <be...@morpheme.co.uk>
> > > To: "Tomcat Users List" <to...@jakarta.apache.org>; "Brett M.
> > > Bergquist" <br...@thebergquistfamily.com>
> > > Sent: Tuesday, December 17, 2002 10:55 AM
> > > Subject: Re: Workaround for login page direct reference
> > >
> > >
> > > I'll give that a go.
> > >
> > > Thanks
> > >
> > > Ben
> > > ----- Original Message -----
> > > From: "Brett M. Bergquist" <br...@optonline.net>
> > > To: "Tomcat Users List" <to...@jakarta.apache.org>;
> > "Ben Jessel"
> > > <be...@morpheme.co.uk>
> > > Sent: Monday, December 16, 2002 8:54 PM
> > > Subject: Re: Workaround for login page direct reference
> > >
> > >
> > > > Ben, I'm not sure but I believe that I've seen mention
> > that you can
> > > forward to a page that is not accessible to the outside. That
> > > > is, put the Login.jsp page within WEB-INF of your web app and it
> > > > will
> > not
> > > be available to the outside world but you can forward to
> > > > it from inside the web app.
> > > >
> > > > I don't know if this will work because I have not tried it but it
> > > > might.
> > > >
> > > > Brett
> > > >
> > >
> > > ..
> > >
> > >
> > > --
> > > To unsubscribe, e-mail:
> > <ma...@jakarta.apache.org>
> > > For additional commands, e-mail:
> > <ma...@jakarta.apache.org>
> > >
> > >
> >
> >
> > --
> > To unsubscribe, e-mail:
> > <mailto:tomcat-user-> unsubscribe@jakarta.apache.org>
> > For
> > additional commands,
> > e-mail: <ma...@jakarta.apache.org>
> >
>
>
--
To unsubscribe, e-mail:
<ma...@jakarta.apache.org>
For additional commands, e-mail:
<ma...@jakarta.apache.org>
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
Re: Workaround for login page direct reference
Posted by Ben Jessel <be...@morpheme.co.uk>.
Thanks mech, that's very interesting, however, i simply just can't believe
that there are Tomcat instances out there in a live production environment
with configured realms that suffer from this problem. Surely there must be
something....
----- Original Message -----
From: "mech" <me...@rz.fh-augsburg.de>
To: "'Tomcat Users List'" <to...@jakarta.apache.org>; "'Ben Jessel'"
<be...@morpheme.co.uk>
Sent: Tuesday, December 17, 2002 12:57 PM
Subject: RE: Workaround for login page direct reference
> Some more ideas...
>
> In my application I never have a direct link to the login.jsp.
> Try to link either to any file that will be accessed after login (e.g.
> content.jsp) or link only to the secure directory that you mapped and
> let the welcome-file redirect link to index.jsp or whatever.
>
> Doesn't solve the back button issue (check tomcat bug list), doesn't
> prohibit users to bookmark the login.jsp, but improves usability at
> least a bit by avoiding some opportunities to get errors.
>
> For your intermediate page thing I would suggest looking into using
> filters. Unfortunately nothing can prohibit the anyone from using the
> browser back button and try to relog again because in that back button
> case the login.jsp isn't even loaded again; so you can't even check for
> that error by any means.
>
> Michael
>
> > -----Original Message-----
> > From: Ben Jessel [mailto:ben.jessel@morpheme.co.uk]
> > Sent: Dienstag, 17. Dezember 2002 13:43
> > To: Tomcat Users List
> > Subject: Re: Workaround for login page direct reference
> >
> >
> > Thanks Mike,
> >
> > I guess, another workaround is that you could just invalidate
> > their session if they go to the login page.... Now, I still
> > don't see how all this is going help that "direct reference
> > to login page"....as it seems that I get this error if I go
> > to login.jsp and then enter in my details.....
> >
> > - Say the user goes to xxxx/login.jsp directly....
> > - If we've protecteed that page Tomcat goes, no - "that's a
> > protected resource", and forwards to xxxx/login.jsp
> > Otherwise, tomcat just goes to the login page.
> > - You enter the user details, and then tomcat tries to
> > forward to the page you came from ( i.e login.jsp ), but
> > detects this is invalid ( presumably by comparing against
> > <login-page> in the web.xml, and displays an error - "direct
> > reference to login page"....
> >
> > What I'd really, really, like, is some way of having an
> > intermediate page where I can check the requestURI to find
> > out what page tomcat is going to redirect me *after* login,
> > so tomcat would give me
> > login.jsp?page_to_forward_to=blah.jsp... but alas, I don't
> > think I can...
> >
> > ----- Original Message -----
> > From: "Mike W-M" <mi...@ward-murphy.co.uk>
> > To: "Tomcat Users List" <to...@jakarta.apache.org>
> > Sent: Tuesday, December 17, 2002 11:28 AM
> > Subject: Re: Workaround for login page direct reference
> >
> >
> > > I'm going to have to sort this myself in the near future,
> > but I don't
> > quite
> > > see how the fact that you can forward to the protected resource is
> > > going
> > to
> > > help? Isn't Tomcat going to automatically redirect (not
> > forward - the
> > > distinction is important since redirecting will result in the login
> > > page's URL showing up in the browser's address bar) to the
> > login page you've
> > > configured? Actually... since redirecting causes the
> > browser to initiate
> > a
> > > new request (for your WEB-INF/login page in this case),
> > won't you get
> > > a 404-type error?
> > >
> > > Someone posted in a similar thread the other day that they
> > intended to
> > check
> > > a couple of things in the login page:
> > > 1. request.getRequestedSessionId() is *NULL* and
> > > 2. There is *NO* cookie named "JSESSIONID"
> > > I think the theory was that these would both be true on the first
> > > occasion the login page was accessed, but that if the user
> > was already
> > authenticated
> > > then the conditions wouldn't hold so the page should
> > redirect to the
> > > index page. It's not nice to be relying on a cookie name
> > (what if they
> > > change it
> > between
> > > versions, or if cookies are turned off (though I'm not sure the
> > > authentication works then anyway!)?) but I'm inclined to
> > move in that
> > > direction when it's my turn....
> > >
> > > Mike.
> > >
> > >
> > >
> > > ----- Original Message -----
> > > From: "Ben Jessel" <be...@morpheme.co.uk>
> > > To: "Tomcat Users List" <to...@jakarta.apache.org>; "Brett M.
> > > Bergquist" <br...@thebergquistfamily.com>
> > > Sent: Tuesday, December 17, 2002 10:55 AM
> > > Subject: Re: Workaround for login page direct reference
> > >
> > >
> > > I'll give that a go.
> > >
> > > Thanks
> > >
> > > Ben
> > > ----- Original Message -----
> > > From: "Brett M. Bergquist" <br...@optonline.net>
> > > To: "Tomcat Users List" <to...@jakarta.apache.org>;
> > "Ben Jessel"
> > > <be...@morpheme.co.uk>
> > > Sent: Monday, December 16, 2002 8:54 PM
> > > Subject: Re: Workaround for login page direct reference
> > >
> > >
> > > > Ben, I'm not sure but I believe that I've seen mention
> > that you can
> > > forward to a page that is not accessible to the outside. That
> > > > is, put the Login.jsp page within WEB-INF of your web app and it
> > > > will
> > not
> > > be available to the outside world but you can forward to
> > > > it from inside the web app.
> > > >
> > > > I don't know if this will work because I have not tried it but it
> > > > might.
> > > >
> > > > Brett
> > > >
> > >
> > > ..
> > >
> > >
> > > --
> > > To unsubscribe, e-mail:
> > <ma...@jakarta.apache.org>
> > > For additional commands, e-mail:
> > <ma...@jakarta.apache.org>
> > >
> > >
> >
> >
> > --
> > To unsubscribe, e-mail:
> > <mailto:tomcat-user-> unsubscribe@jakarta.apache.org>
> > For
> > additional commands,
> > e-mail: <ma...@jakarta.apache.org>
> >
>
>
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
RE: Workaround for login page direct reference
Posted by mech <me...@rz.fh-augsburg.de>.
Some more ideas...
In my application I never have a direct link to the login.jsp.
Try to link either to any file that will be accessed after login (e.g.
content.jsp) or link only to the secure directory that you mapped and
let the welcome-file redirect link to index.jsp or whatever.
Doesn't solve the back button issue (check tomcat bug list), doesn't
prohibit users to bookmark the login.jsp, but improves usability at
least a bit by avoiding some opportunities to get errors.
For your intermediate page thing I would suggest looking into using
filters. Unfortunately nothing can prohibit the anyone from using the
browser back button and try to relog again because in that back button
case the login.jsp isn't even loaded again; so you can't even check for
that error by any means.
Michael
> -----Original Message-----
> From: Ben Jessel [mailto:ben.jessel@morpheme.co.uk]
> Sent: Dienstag, 17. Dezember 2002 13:43
> To: Tomcat Users List
> Subject: Re: Workaround for login page direct reference
>
>
> Thanks Mike,
>
> I guess, another workaround is that you could just invalidate
> their session if they go to the login page.... Now, I still
> don't see how all this is going help that "direct reference
> to login page"....as it seems that I get this error if I go
> to login.jsp and then enter in my details.....
>
> - Say the user goes to xxxx/login.jsp directly....
> - If we've protecteed that page Tomcat goes, no - "that's a
> protected resource", and forwards to xxxx/login.jsp
> Otherwise, tomcat just goes to the login page.
> - You enter the user details, and then tomcat tries to
> forward to the page you came from ( i.e login.jsp ), but
> detects this is invalid ( presumably by comparing against
> <login-page> in the web.xml, and displays an error - "direct
> reference to login page"....
>
> What I'd really, really, like, is some way of having an
> intermediate page where I can check the requestURI to find
> out what page tomcat is going to redirect me *after* login,
> so tomcat would give me
> login.jsp?page_to_forward_to=blah.jsp... but alas, I don't
> think I can...
>
> ----- Original Message -----
> From: "Mike W-M" <mi...@ward-murphy.co.uk>
> To: "Tomcat Users List" <to...@jakarta.apache.org>
> Sent: Tuesday, December 17, 2002 11:28 AM
> Subject: Re: Workaround for login page direct reference
>
>
> > I'm going to have to sort this myself in the near future,
> but I don't
> quite
> > see how the fact that you can forward to the protected resource is
> > going
> to
> > help? Isn't Tomcat going to automatically redirect (not
> forward - the
> > distinction is important since redirecting will result in the login
> > page's URL showing up in the browser's address bar) to the
> login page you've
> > configured? Actually... since redirecting causes the
> browser to initiate
> a
> > new request (for your WEB-INF/login page in this case),
> won't you get
> > a 404-type error?
> >
> > Someone posted in a similar thread the other day that they
> intended to
> check
> > a couple of things in the login page:
> > 1. request.getRequestedSessionId() is *NULL* and
> > 2. There is *NO* cookie named "JSESSIONID"
> > I think the theory was that these would both be true on the first
> > occasion the login page was accessed, but that if the user
> was already
> authenticated
> > then the conditions wouldn't hold so the page should
> redirect to the
> > index page. It's not nice to be relying on a cookie name
> (what if they
> > change it
> between
> > versions, or if cookies are turned off (though I'm not sure the
> > authentication works then anyway!)?) but I'm inclined to
> move in that
> > direction when it's my turn....
> >
> > Mike.
> >
> >
> >
> > ----- Original Message -----
> > From: "Ben Jessel" <be...@morpheme.co.uk>
> > To: "Tomcat Users List" <to...@jakarta.apache.org>; "Brett M.
> > Bergquist" <br...@thebergquistfamily.com>
> > Sent: Tuesday, December 17, 2002 10:55 AM
> > Subject: Re: Workaround for login page direct reference
> >
> >
> > I'll give that a go.
> >
> > Thanks
> >
> > Ben
> > ----- Original Message -----
> > From: "Brett M. Bergquist" <br...@optonline.net>
> > To: "Tomcat Users List" <to...@jakarta.apache.org>;
> "Ben Jessel"
> > <be...@morpheme.co.uk>
> > Sent: Monday, December 16, 2002 8:54 PM
> > Subject: Re: Workaround for login page direct reference
> >
> >
> > > Ben, I'm not sure but I believe that I've seen mention
> that you can
> > forward to a page that is not accessible to the outside. That
> > > is, put the Login.jsp page within WEB-INF of your web app and it
> > > will
> not
> > be available to the outside world but you can forward to
> > > it from inside the web app.
> > >
> > > I don't know if this will work because I have not tried it but it
> > > might.
> > >
> > > Brett
> > >
> >
> > ..
> >
> >
> > --
> > To unsubscribe, e-mail:
> <ma...@jakarta.apache.org>
> > For additional commands, e-mail:
> <ma...@jakarta.apache.org>
> >
> >
>
>
> --
> To unsubscribe, e-mail:
> <mailto:tomcat-user-> unsubscribe@jakarta.apache.org>
> For
> additional commands,
> e-mail: <ma...@jakarta.apache.org>
>
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
Re: Workaround for login page direct reference
Posted by Ben Jessel <be...@morpheme.co.uk>.
Thanks Mike,
I guess, another workaround is that you could just invalidate their session
if they go to the login page....
Now, I still don't see how all this is going help that "direct reference to
login page"....as it seems that I get this error if I go to login.jsp and
then enter in my details.....
- Say the user goes to xxxx/login.jsp directly....
- If we've protecteed that page Tomcat goes, no - "that's a protected
resource", and forwards to xxxx/login.jsp
Otherwise, tomcat just goes to the login page.
- You enter the user details, and then tomcat tries to forward to the page
you came from ( i.e login.jsp ), but detects this is invalid ( presumably
by comparing against <login-page> in the web.xml, and displays an error -
"direct reference to login page"....
What I'd really, really, like, is some way of having an intermediate page
where I can check the requestURI to find out what page tomcat is going to
redirect me *after* login, so tomcat would give me
login.jsp?page_to_forward_to=blah.jsp... but alas, I don't think I can...
----- Original Message -----
From: "Mike W-M" <mi...@ward-murphy.co.uk>
To: "Tomcat Users List" <to...@jakarta.apache.org>
Sent: Tuesday, December 17, 2002 11:28 AM
Subject: Re: Workaround for login page direct reference
> I'm going to have to sort this myself in the near future, but I don't
quite
> see how the fact that you can forward to the protected resource is going
to
> help? Isn't Tomcat going to automatically redirect (not forward - the
> distinction is important since redirecting will result in the login page's
> URL showing up in the browser's address bar) to the login page you've
> configured? Actually... since redirecting causes the browser to initiate
a
> new request (for your WEB-INF/login page in this case), won't you get a
> 404-type error?
>
> Someone posted in a similar thread the other day that they intended to
check
> a couple of things in the login page:
> 1. request.getRequestedSessionId() is *NULL* and
> 2. There is *NO* cookie named "JSESSIONID"
> I think the theory was that these would both be true on the first occasion
> the login page was accessed, but that if the user was already
authenticated
> then the conditions wouldn't hold so the page should redirect to the index
> page.
> It's not nice to be relying on a cookie name (what if they change it
between
> versions, or if cookies are turned off (though I'm not sure the
> authentication works then anyway!)?) but I'm inclined to move in that
> direction when it's my turn....
>
> Mike.
>
>
>
> ----- Original Message -----
> From: "Ben Jessel" <be...@morpheme.co.uk>
> To: "Tomcat Users List" <to...@jakarta.apache.org>; "Brett M.
> Bergquist" <br...@thebergquistfamily.com>
> Sent: Tuesday, December 17, 2002 10:55 AM
> Subject: Re: Workaround for login page direct reference
>
>
> I'll give that a go.
>
> Thanks
>
> Ben
> ----- Original Message -----
> From: "Brett M. Bergquist" <br...@optonline.net>
> To: "Tomcat Users List" <to...@jakarta.apache.org>; "Ben Jessel"
> <be...@morpheme.co.uk>
> Sent: Monday, December 16, 2002 8:54 PM
> Subject: Re: Workaround for login page direct reference
>
>
> > Ben, I'm not sure but I believe that I've seen mention that you can
> forward to a page that is not accessible to the outside. That
> > is, put the Login.jsp page within WEB-INF of your web app and it will
not
> be available to the outside world but you can forward to
> > it from inside the web app.
> >
> > I don't know if this will work because I have not tried it but it might.
> >
> > Brett
> >
>
> ..
>
>
> --
> To unsubscribe, e-mail:
<ma...@jakarta.apache.org>
> For additional commands, e-mail:
<ma...@jakarta.apache.org>
>
>
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
Re: Workaround for login page direct reference
Posted by Mike W-M <mi...@ward-murphy.co.uk>.
I'm going to have to sort this myself in the near future, but I don't quite
see how the fact that you can forward to the protected resource is going to
help? Isn't Tomcat going to automatically redirect (not forward - the
distinction is important since redirecting will result in the login page's
URL showing up in the browser's address bar) to the login page you've
configured? Actually... since redirecting causes the browser to initiate a
new request (for your WEB-INF/login page in this case), won't you get a
404-type error?
Someone posted in a similar thread the other day that they intended to check
a couple of things in the login page:
1. request.getRequestedSessionId() is *NULL* and
2. There is *NO* cookie named "JSESSIONID"
I think the theory was that these would both be true on the first occasion
the login page was accessed, but that if the user was already authenticated
then the conditions wouldn't hold so the page should redirect to the index
page.
It's not nice to be relying on a cookie name (what if they change it between
versions, or if cookies are turned off (though I'm not sure the
authentication works then anyway!)?) but I'm inclined to move in that
direction when it's my turn....
Mike.
----- Original Message -----
From: "Ben Jessel" <be...@morpheme.co.uk>
To: "Tomcat Users List" <to...@jakarta.apache.org>; "Brett M.
Bergquist" <br...@thebergquistfamily.com>
Sent: Tuesday, December 17, 2002 10:55 AM
Subject: Re: Workaround for login page direct reference
I'll give that a go.
Thanks
Ben
----- Original Message -----
From: "Brett M. Bergquist" <br...@optonline.net>
To: "Tomcat Users List" <to...@jakarta.apache.org>; "Ben Jessel"
<be...@morpheme.co.uk>
Sent: Monday, December 16, 2002 8:54 PM
Subject: Re: Workaround for login page direct reference
> Ben, I'm not sure but I believe that I've seen mention that you can
forward to a page that is not accessible to the outside. That
> is, put the Login.jsp page within WEB-INF of your web app and it will not
be available to the outside world but you can forward to
> it from inside the web app.
>
> I don't know if this will work because I have not tried it but it might.
>
> Brett
>
...
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
Re: Workaround for login page direct reference
Posted by Ben Jessel <be...@morpheme.co.uk>.
I'll give that a go.
Thanks
Ben
----- Original Message -----
From: "Brett M. Bergquist" <br...@optonline.net>
To: "Tomcat Users List" <to...@jakarta.apache.org>; "Ben Jessel"
<be...@morpheme.co.uk>
Sent: Monday, December 16, 2002 8:54 PM
Subject: Re: Workaround for login page direct reference
> Ben, I'm not sure but I believe that I've seen mention that you can
forward to a page that is not accessible to the outside. That
> is, put the Login.jsp page within WEB-INF of your web app and it will not
be available to the outside world but you can forward to
> it from inside the web app.
>
> I don't know if this will work because I have not tried it but it might.
>
> Brett
>
> ----- Original Message -----
> From: "Ben Jessel" <be...@morpheme.co.uk>
> To: <to...@jakarta.apache.org>
> Sent: Monday, December 16, 2002 11:14 AM
> Subject: Workaround for login page direct reference
>
>
> > Hi,
> > I've got a realm set up on Tomcat. It works fine - whenever I go to a
> > protected page, I am forwarded to the login.jsp page.
> > However, if I go to the login.jsp page directly and fill in my details I
get
> > "Invalid direct reference to form login page". not surprising really as
> > tomcat would get itself into an endless cycle.
> >
> > Now what are the strategies for hiding this page, so a hapless user who
goes
> > directly to the login page and enters his details doesn't get this
message.
> > I'd want to forward them onto the index page. Any ideas? Would I
explicity
> > bar the request of the requesting of the login page using my web
server?..I
> > doubt it, as I reckon tht the realm probably uses a sendRedirect(). I
guess
> > that I could check the refering page...hmm dunno...any ideas?
> >
> > Thanks
> >
> > -b
> >
> >
>
>
> --
> To unsubscribe, e-mail:
<ma...@jakarta.apache.org>
> For additional commands, e-mail:
<ma...@jakarta.apache.org>
>
>
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
Re: Workaround for login page direct reference
Posted by "Brett M. Bergquist" <br...@optonline.net>.
Ben, I'm not sure but I believe that I've seen mention that you can forward to a page that is not accessible to the outside. That
is, put the Login.jsp page within WEB-INF of your web app and it will not be available to the outside world but you can forward to
it from inside the web app.
I don't know if this will work because I have not tried it but it might.
Brett
----- Original Message -----
From: "Ben Jessel" <be...@morpheme.co.uk>
To: <to...@jakarta.apache.org>
Sent: Monday, December 16, 2002 11:14 AM
Subject: Workaround for login page direct reference
> Hi,
> I've got a realm set up on Tomcat. It works fine - whenever I go to a
> protected page, I am forwarded to the login.jsp page.
> However, if I go to the login.jsp page directly and fill in my details I get
> "Invalid direct reference to form login page". not surprising really as
> tomcat would get itself into an endless cycle.
>
> Now what are the strategies for hiding this page, so a hapless user who goes
> directly to the login page and enters his details doesn't get this message.
> I'd want to forward them onto the index page. Any ideas? Would I explicity
> bar the request of the requesting of the login page using my web server?..I
> doubt it, as I reckon tht the realm probably uses a sendRedirect(). I guess
> that I could check the refering page...hmm dunno...any ideas?
>
> Thanks
>
> -b
>
>
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>