Couldn't this be a requirement to use this form of authentication? The developer would know that this would/could be possible, and could set the action to "/j_security_check?jsessionid=${session.id}" to pass the session information along.
Another idea: Why can't the session id be passed along as a hidden form input? Again, the developer would have to add a <input type="hidden" name="jsessionid" value="${session.id}" /> tag to the login form, but this is trivial. We already have to use specific names for the username and password fields, why not one more?
I feel like I'm being a little bit snappy, and if I'm coming across that way, I apologize. It just seems like with this project I'm working on, every time I get a "good idea", I run into a "shortcoming" of the tool that I'm using.
Am I totally off base with these thoughts? Is there something flawed with my thinking? *sigh* :^)
-ds
[Message sent by forum member 'digitalseraphim']
http://forums.java.net/jive/thread.jspa?messageID=394636