[undertow-dev] loginPage and security constraints

Anil Saldhana Anil.Saldhana at redhat.com
Mon Aug 19 10:51:10 EDT 2013 

Bill,
   the user can bookmark the login page. But the container has to treat
it in a special way. It assumes that the user is trying to access a 
protected
resource, authenticate (login page ->creds->redirect) and send the user
to the index page.  Now if the user bookmarks the error page, same thing.

Now if the user bookmarks a protected page, the sequence is the same
except that the post-authentication forward happens to the protected 
resource.

Regards,
Anil

On 08/19/2013 09:07 AM, Bill Burke wrote:
> It makes a lot of sense to be able to bookmark the login page so I don't
> think you are correct that the login page cannot be bookmarked.
>
> On 8/19/2013 10:02 AM, Anil Saldhana wrote:
>> Login/Error page in FORM authentication are controlled by the web
>> container. They should
>> not be accessed directly by the user. When they bookmark the login page
>> or error page,
>> the url should be protected.
>>
>> The workflow starts as follows: when the user tries to access a secured
>> resource, the container
>> initiates the form authentication workflow by saving the current request
>> and then forwarding to
>> the login page and after login, restore the request and proceed. In case
>> of error, the request is
>> forwarded to the error page.
>>
>> In the case of bookmarked login page, the container has to perform
>> special processing to ensure
>> that it does not restore back to the login page but to the index/welcome
>> page.
>>
>>
>> On 08/19/2013 08:54 AM, Stuart Douglas wrote:
>>> At the moment the code assumes the login and error pages are outside the secured area.
>>>
>>> It think it makes sense to change this so that the login and error pages are never secure.
>>>
>>> Stuart
>>>
>>> ----- Original Message -----
>>>>> From: "Bill Burke"<bburke at redhat.com>
>>>>> To:undertow-dev at lists.jboss.org
>>>>> Sent: Saturday, 17 August, 2013 7:30:30 PM
>>>>> Subject: [undertow-dev] loginPage and security constraints
>>>>>
>>>>> If you have a authentication security constraint set to "/*", how do you
>>>>> make sure you don't have an infinite redirect loop with the loginPage?
>>>>>
>>>>> --
>>>>> Bill Burke
>>>>> JBoss, a division of Red Hat
>>>>> http://bill.burkecentral.com

More information about the undertow-dev mailing list