Ok, I don't see it in the spec anywhere but it appears that on Glassfish at least that their is an object in the options collection of type WebBundleDescriptor. (I feel this should be in the spec if it is not so that it would be accessible on all platforms.
The following will get me my paths to the login and error forms:
WebBundleDescriptor lWebBundleDescriptor = (WebBundleDescriptor) options.get("WEB_BUNDLE");
HttpServletRequest lRequest = (HttpServletRequest) aMessageInfo.getRequestMessage();
String lContextPath = lRequest.getContextPath();
String lLoginPage = lContextPath + lLoginConfiguration.getFormLoginPage();
String lErrorPage = lContextPath + lLoginConfiguration.getFormErrorPage();
If no authentication credentials are in the request I do the following:
lHttpServletResponse.sendRedirect(lLoginPage);
lHttpServletResponse.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
lStatus = AuthStatus.SEND_CONTINUE;
This results in my browser reporting a redirect loop as every request results in another redirect to my login page at: [b]/context/login.xhtml[/b].
The secured path for my application is [b]/profile/*[/b] so I would assume the path [b]/context/profile/index.xhtml[/b] would require authentication, but not [b]/context/login.xhtml[/b]. So I am not certain why my SAM is getting the second request? It appears that the validateRequest method is being called for every request regardless of whether or not the request is to be secured which I don't believe is correct from the way I read the spec.
Does anyone have any idea why all requests would get passed through the sam or is this expected?
[Message sent by forum member 'chadws' (chadws)]
http://forums.java.net/jive/thread.jspa?messageID=302434