#27 Use internal redirect to display form login page

[David D. Kilzer]

The attached patch changes
FormAuthenticator.showLogin() to use an internal
redirect to display the login page instead of a browser
(external) redirect. This has the desired effect of
"preserving" the original URL that the user requested,
allowing them to "bookmark" the login page.

Why did I need to do this?

The web application I'm working on has a requirement to
show 3 different login pages for three different types
of users. Originally, we implemented three different
SecurityFilter filters, but then we had a new
requiremenet to allow user X to access user Y's
protected pages.

Unfortunately, Tomcat would not provide user X's roles
when accessing user Y's protected pages (because it saw
them as two different security realms), so I had to
create a default login action (we're using Struts 1.1)
that would "multiplex" the login pages depending on the
requested resource. (Yes, I peeked at the URL that
securityfilter-1.1 stores in the session.)

This made it impossible for users to bookmark the login
page since accessing the default login action directly
(e.g., without accessing a protected resource first)
would not provide enough information to know which
login page to draw.

Maybe someone else will find this useful. If changing
the behavior like this is not acceptable, a
configuration directive to alter the behavior (between
a browser redirect and an internal redirect) would be
appreciated.

[David D. Kilzer]

Changes FormAuthenticator.showLogin() to use an internal redirect to display login page