Skip to main content

JAAS form authentication with form page matching protected resources

Please note these forums are being decommissioned and use the new and improved forums at
No replies
Joined: 2014-05-05

Recently someone show me an application with a strange JAAS setting: using form authentication, they configured the login and error pages inside the protected resources, something like "/*" and then "
/login.jsp"; please note that /login.jsp matches /*, so the login page is a protected resource itself! Is this setting correct? The login process is working, most of the time.. sometimes it has strange behaviours, like loggin-in a user without entering his credentials, and with other users credential (users already logged in)
Does someone knows if this settings could generate some issues? Should not the login and error pages be outside the protected resources? What are the backdraws of that configuration?