Re: 404 for j_security_check

Fri, 15 Mar 2024 09:19:14 -0700 

Rick,

On 3/14/24 15:37, Rick Noel wrote:

After moving from tomcat 9 to tomcat 10 after a user successfully
logs in and then hits a restricted page, the login page is hit again
but on this second login hit I get 404 page not found
This is actually expected, since j_security_check is only supposed to be used when the container (Tomcat) interrupts a user workflow to request authentication. 


How do I set the correct path in my  login jsp so that
j_security_check is found?

BTW  I actually am wondering why a  successful logged on user would
even be sent to the log in page again?

That's more of a question for your application than anything else.


My login page  is ->   /membership/login.jsp

Here is how I set the path to  j_security_check in above login.jsp

<form name="login_form" action='j_security_check' method='POST'>

My restricted  web.xml snippet............



Are you doing what I call a "direct login" where you have a "login page" 
that most users hit first. Like from example.com/app/ where there is no 
initial request for a protected resource? Or are your users always (1) 
requesting a protected resource then (2) Tomcat requests authentication 
then (3) the user is forwarded to the resource originally requested in (1)?



<security-constraint>
<web-resource-collection>
<web-resource-name>External</web-resource-name>
<url-pattern>/external/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>radiovoodoo</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>Auth</web-resource-name>
<url-pattern>/auth/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>radiovoodoo</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/membership/login.jsp</form-login-page>
<form-error-page>/membership/error.jsp</form-error-page>
</form-login-config>
</login-config>



Those <transport-guarantee>NONE</transport-guarantee> lines look weird 
to me. Why are you explicitly specifying those? What part of your 
configuration actually requests authentication and authorization?


-chris

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org























					Reply via email to