[undertow-dev] loginPage and security constraints

[Anil Saldhana]

Login/Error page in FORM authentication are controlled by the web 
container. They should
not be accessed directly by the user. When they bookmark the login page 
or error page,
the url should be protected.

The workflow starts as follows: when the user tries to access a secured 
resource, the container
initiates the form authentication workflow by saving the current request 
and then forwarding to
the login page and after login, restore the request and proceed. In case 
of error, the request is
forwarded to the error page.

In the case of bookmarked login page, the container has to perform 
special processing to ensure
that it does not restore back to the login page but to the index/welcome 
page.


On 08/19/2013 08:54 AM, Stuart Douglas wrote:
> At the moment the code assumes the login and error pages are outside the secured area.
>
> It think it makes sense to change this so that the login and error pages are never secure.
>
> Stuart
>
> ----- Original Message -----
>> >From: "Bill Burke"<bburke at redhat.com>
>> >To:undertow-dev at lists.jboss.org
>> >Sent: Saturday, 17 August, 2013 7:30:30 PM
>> >Subject: [undertow-dev] loginPage and security constraints
>> >
>> >If you have a authentication security constraint set to "/*", how do you
>> >make sure you don't have an infinite redirect loop with the loginPage?
>> >
>> >--
>> >Bill Burke
>> >JBoss, a division of Red Hat
>> >http://bill.burkecentral.com
>> >_______________________________________________
>> >undertow-dev mailing list
>> >undertow-dev at lists.jboss.org
>> >https://lists.jboss.org/mailman/listinfo/undertow-dev
>> >
> _______________________________________________
> undertow-dev mailing list
> undertow-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/undertow-dev

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/undertow-dev/attachments/20130819/6ca02f58/attachment.html