tags:

views:

1390

answers:

2

Currently Tomcat's login support redirects users back to where they initially were when the application figured out they weren't logged in.

For this particular application I need to force them to always go back to index.jsp.

I'm pretty sure this is a simple configuration option in the WAR's web.xml, but I haven't found the answer in google.

A: 

It's something you can't configure in web.xml as it is not part of the standard. For Tomcat (tested on version 6.0.14) you can force users back to index.jsp by adding the next code on top of your login.jsp. It redirects every request that does not have a parameter with the name 'login' in the url to the /index.jsp?login page. Because the redirect does have the 'login' parameter the user will be presented the login page.

It's not a secure solution. If someone requests for a page and adds the login parameter, he will be redirected. So:

/showPerson?id=1234 will redirect to /index.jsp?login

/showPerson?id=1234?login will NOT redirect to /index.jsp?login

The code that goes on top of your login.jsp:

<%
if (request.getParameter("login") == null) {
    response.sendRedirect(request.getContextPath() + "/index.jsp?login");
    return;
}
%>

Instead of using the 'login' parameter you probably could use a cookie. You can make it more secure by creating a random value for the login parameter (login=randomvalue) and store the value in the session object for comparison.

Frans
+2  A: 

A better solution would probably be to use a servlet filter. You could then check for j_username / j_password, and a successful login and redirect them where you wanted them to go.

ScArcher2