First of all, I apologize for post the same question in two different forums, but I new in JavaRanch and I don�t know how it works. Sorry.
I am using
Tomcat 3.2.4. The method that I use to go from a page to another is by means of a Controller servlet and a hidden type input named "page" that represents the next page to go. That parameter is received for the Controller servlet and it converts to the real URL with: nextPage = getInitParam(request.getParameter("page"));
For example, a web.xml for a simple application where the adminPage.jsp is protected:
<web-app>
<servlet>
<servlet-name>Controller</servlet-name>
<display-name>Controller</display-name>
<servlet-class>Controller</servlet-class>
<init-param>
<param-name>Index</param-name>
<param-value>index.htm</param-value>
</init-param>
<init-param>
<param-name>AdminPage</param-name>
<param-value>/admin/adminPage.htm</param-value>
</init-param>
<init-param>
<param-name>UnprotectedPage</param-name>
<param-value>unprotectedPage.htm</param-value>
</init-param>
</servlet>
<security-constraint>
<web-resource-collection>
<web-resource-name>tools-admin</web-resource-name>
<url-pattern>/admin/*</url-pattern>
<http-method>POST</http-method>
<http-method>GET</http-method>
<http-method>DELETE</http-method>
<http-method>PUT</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>admin</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<realm-name>ProtectedArea</realm-name>
<form-login-config>
<form-login-page>/security/login.jsp</form-login-page>
<form-error-page>/security/loginerror.jsp</form-error-page>
</form-login-config>
</login-config>
<security-role>
<role-name>admin</role-name>
</security-role>
</web-app>
From Index page to access to admin page the paramater "page" is equal to "AdminPage". The Controller servlet jumps the login page ang go to admin page without athentication. Must I put the servlet in protected area? I am using JDBC Realm wiht three tables for authentication (Login, Roles, Role-Login).