This post originated from an RSS feed registered with Java Buzz by Michael Cote. Original Post: Servlet Authentication and ServletFilters Feed Title: Cote's Weblog: Coding, Austin, etc. Feed URL: https://cote.io/feed/ Feed Description: Using Java to get to the ideal state. Latest Java Buzz Posts Latest Java Buzz Posts by Michael Cote Latest Posts From Cote's Weblog: Coding, Austin, etc.

How lame is this? The Tomcat folks can't be bothered to allow filters to be triggered for FORM based authentication (where the action is j_security_check). There's some lame explanation that the Servlet spec is ambigious about it. Granted, they got Yutaka Yoshida, the Servlet 2.4 lead, to address the issue:

We believe the application component should not be involved in the container-managed security. Although we understand why people are using filter to manipulate the authentication mechanism, it doesn't solve all issues related to the security and must be addressed in a larger scope of the portable authentication mechanism, which I expect to have in the next version of the specification.

Sure, bully for the next version. But it's too late for today.

Really, I don't see what the problem is with allowing a filter to be registered for j_security_check. As the other carpers in the bug comments point out, it's an obvious and extreamly helpful thing to do. WebSphere does it, but what do those crazy space-suit programmers know?