Hi Joe,
Shevland, Joe wrote:
>>The only recommendation I can give you is to not add <%_at_page
>>isErrorPage="true"%> to your <form-error-page> resource, and
>>to not try to retrieve the pagecontext's error data
>>(${pageContext.errorData}) from your <form-error-page> resource.
>>
>>
>
>Thanks Jan,
>
>>From my understanding then of all of that, I'm unable to get the
>LoginException in the form-error-page when using form-based
>authentication and hence unable to provide any better feedback in the
>case authentication fails than "Login failed, for some reason".
>
>Would this be feasible to submit as an RFE? I don't see any approach
>other than modifying the container code to get at it. I'd like to get at
>the message of the exception to give the user some more relevant
>feedback.
>
>
an RFE might be in place. Any information (e.g., exception) related to
the authentication failure could be stored in the session that was
established during FORM authentication (to store the original request
URL to which the user would be redirected following a successful
authentication), so that the form-error-page could retrieve it from
there.
However, in GlassFish, there is no exception thrown or propagated in
the case of any FORM authentication failure (I think this is on purpose,
because you don't want to disclose to a potential attacker too many
details as to why they could not be authenticated), so I'm not sure
how useful the RFE would be in the end.
Jan