April 19, 2004

Invalid direct reference to form login page

This seems to be a fairly common occurrence when dealing with form-based authentication in Tomcat. Heck, Matt even blogged about it a year and a half ago. The error occurs when someone tries to directly access the same resource used by Tomcat to display the login page (e.g., ‘/login.jsp’, ‘/login.do’, etc.).

There are a number of technical solutions about this so I don't think I need to add another. But most of them miss the big picture: the important thing to remember is you should never have a reference to this resource anywhere in your application. The only places it should appear are:

  1. in your web.xml where you tell the container the resource to use for collecting a username and password from an unidentified user,
  2. if necessary, in your framework configuration mapping URLs to resources -- in your Struts config or Spring URL mapping bean, for instance.
  3. </ol>

    It should appear no place else -- no direct links, no redirects, nothing. The user should never see a URL with the name of your form-login-page in it.

    The thing is, this login page isn't a real resource. It's just a tool the container whips out when it needs to find out who you are. This tool doesn't do anything by itself, it's just there to gather some information and move you onto where you actually want to be -- kind of like how it wouldn't make sense to give your credit card to the person at a busy grocery store who directs you to the next-to-open cash register.

Next: Spring Console beta released
Previous: Building Perl on Win32 with new tools