2004-08-21 00:35:45 UTC
Hi,
There is a problem with LoginFormFormTag. Many times a web application uses the same url for the preparation for a form and for the submission for a form.
Case:
A person is trying to GET a form page that is protected by the SecurityFilter.
The filter redirects to the LoginForm which then POSTS the login information to the originally requested url. Posting the login is a good thing as it avoids having a password in the web log. BUT the receiving url now thinks it's getting a post without the required fields filled in.
There aren't any good ways around this without throwing in a hack.
IMO it would be better to post to a pseudo-url that would then redirect to the original url.
If the pseudo-url was under the protection path then jSai could invent it as the filter should be able to catch the attempted post.
I'd expect that the <jsai:loginForm> tags could also be configured to make the login page detect a post which could then redirect to the original url on a successful login.
HTH
