One of the issues I had was wanting my login page to be the first page people went to, but with the current FormAuthentication you get an error (invalid direct reference to form login page). I have modified the FormAuthenication class so if someone posts to j_security_check from the login page (specified in the web.xml) it will authenticate and redirect them back to the login page. I also added another feature where if a person also posts the parameter j_redirect_url to j_security_check it will forward them to that url (note: the j_redirect_url must be an absolute url reference). The logic inside this class is fairly complicated because it deals with multiple requests and I think I did everything correctly. If someone wants to provide feedback that would be great. I can work on any bugs. The actual code was sent to the maillist list under the subject Form Authentication potential contribution
Created attachment 1835 [details] Potential Fix for this bug
This is a good feature because TC 4.X has a lack in form auth redirection: - How about session expired? - How about direct login page access? - etc I think this is a good aproach for peter patch, so please, oh great TC gurus, take it in consideration and let it checked before new release!!
Additionally, users bookmark the login page, thus going directly to the login page and receiving a redirect error. This error causes them to think there is a problem. If you go straight to the login form on any of Tomcats apps (admin, protected example) it gives this error. Very irritating!
Please take a look at bug 3839, 4104, 4048, 1861 People have been bugged by this for ever. PLEASE, PLEASE, PLEASE, PLEASE apply the patch. thanks.
This has been discussed a lot already, and will not be fixed. Thanks for pointing out it was a dupe :) *** This bug has been marked as a duplicate of 3839 ***
I tried your solution in tomcat 4.1.31 and seemed to me not working because the redirect url (j_redirect_url) should be one of securiry protected resources. In my case I have login form in any page of my site so user can login from any page and return to that page. To solve this problem I had to change FormAuthenticator.java and AuthenticatorBase.java using your trick. When saved request is not found after j_security_login i save a request using j_redirect_url and put a flag in a session note to indicate I'm redirecting from login. Now, when AuthenticatorBase.invoke is called again it checks to see if the page is in security constraints or redirect from login exists and call authenticate again to restore saved url. I will attach my solution because I believe a lot of developers wish that feature, even if it is not compliant with servlet specs.
Created attachment 16515 [details] An approach to have login form in any page (1/3)
Created attachment 16516 [details] An approach to have login form in any page (2/3)
Created attachment 16517 [details] An approach to have login form in any page (3/3)