Re: [undertow-dev] loginPage and security constraints

It makes a lot of sense to be able to bookmark the login page so I don't think you are correct that the login page cannot be bookmarked. On 8/19/2013 10:02 AM, Anil Saldhana wrote: > Login/Error page in FORM authentication are controlled by the web > container. They should > not be accessed directly by the user. When they bookmark the login page > or error page, > the url should be protected. > > The workflow starts as follows: when the user tries to access a secured > resource, the container > initiates the form authentication workflow by saving the current request > and then forwarding to > the login page and after login, restore the request and proceed. In case > of error, the request is > forwarded to the error page. > > In the case of bookmarked login page, the container has to perform > special processing to ensure > that it does not restore back to the login page but to the index/welcome > page. > > > On 08/19/2013 08:54 AM, Stuart Douglas wrote: >> At the moment the code assumes the login and error pages are outside the secured area. >> >> It think it makes sense to change this so that the login and error pages are never secure. >> >> Stuart >> >> ----- Original Message ----- >>>> From: "Bill Burke"<bburke(a)redhat.com> >>>> To:undertow-dev@lists.jboss.org >>>> Sent: Saturday, 17 August, 2013 7:30:30 PM >>>> Subject: [undertow-dev] loginPage and security constraints >>>> >>>> If you have a authentication security constraint set to "/*", how do you >>>> make sure you don't have an infinite redirect loop with the loginPage? >>>> >>>> -- >>>> Bill Burke >>>> JBoss, a division of Red Hat >>>> http://bill.burkecentral.com