[undertow-dev] loginPage and security constraints

Bill Burke bburke at redhat.com
Mon Aug 19 10:14:21 EDT 2013 

So, in practice, the login page will most probably be in an insecure area.

On 8/19/2013 10:11 AM, Stuart Douglas wrote:
> Just looked through the code, and confirmed that the servlet code should work as Anil describes. If your form auth page contains references to static resources though these will also be secured, so if you are trying to secure everything you will probably run into problems.
>
> This is only for Servlet form auth, native Undertow form auth just uses a redirect at the moment.
>
> Stuart
>
>
>> Login/Error page in FORM authentication are controlled by the web container.
>> They should
>> not be accessed directly by the user. When they bookmark the login page or
>> error page,
>> the url should be protected.
>>
>> The workflow starts as follows: when the user tries to access a secured
>> resource, the container
>> initiates the form authentication workflow by saving the current request and
>> then forwarding to
>> the login page and after login, restore the request and proceed. In case of
>> error, the request is
>> forwarded to the error page.
>>
>> In the case of bookmarked login page, the container has to perform special
>> processing to ensure
>> that it does not restore back to the login page but to the index/welcome
>> page.
>>
>>
>> On 08/19/2013 08:54 AM, Stuart Douglas wrote:
>>
>>
>>
>> At the moment the code assumes the login and error pages are outside the
>> secured area.
>>
>> It think it makes sense to change this so that the login and error pages are
>> never secure.
>>
>> Stuart
>>
>> ----- Original Message -----
>>
>>
>>
>>> From: "Bill Burke" <bburke at redhat.com> > To: undertow-dev at lists.jboss.org >
>>> Sent: Saturday, 17 August, 2013 7:30:30 PM > Subject: [undertow-dev]
>>> loginPage and security constraints > > If you have a authentication
>>> security constraint set to "/*", how do you > make sure you don't have an
>>> infinite redirect loop with the loginPage? > > -- > Bill Burke > JBoss, a
>>> division of Red Hat > http://bill.burkecentral.com >
>>> _______________________________________________ > undertow-dev mailing
>>> list > undertow-dev at lists.jboss.org >
>>> https://lists.jboss.org/mailman/listinfo/undertow-dev >
>> _______________________________________________
>> undertow-dev mailing list undertow-dev at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/undertow-dev
>>
>>
>> _______________________________________________
>> undertow-dev mailing list
>> undertow-dev at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/undertow-dev
> _______________________________________________
> undertow-dev mailing list
> undertow-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/undertow-dev
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

More information about the undertow-dev mailing list