Form-based authentication not working right

Mon, 05 Feb 2001 15:41:37 -0800 


Recently I asked about form-based authentication. I appreciate the help 
several people gave, but from the responses I got it seems that I might 
have miscommunicated somehow. I'm going to try again, this time explaining 
myself better.

I'm using Orion 1.4.5 on Windows 2000. The same thing happens on Orion 1.3.8.
I have a number of JSP pages in the directory /app:

MainMenu.jsp            -- the main menu
SecuredPage.jsp -- a secured page, see only when authenticated
LoginForm.jsp   -- form for logging in
LoginError.jsp  -- form displayed when there's an error

The user goes to MainMenu.jsp, where there is a link to SecuredPage.jsp. To 
view this page, the user must be authenticated. The authenticated is 
form-based.

This is what should (CORRECTLY) happen:

  1) User goes to MainMenu.jsp.
  2) User clicks on link to SecuredPage.jsp.
  3) User is presented with LoginForm.jsp.
  4) User types in username and password.
  5a) Login succeeds and SecuredPage.jsp is shown to user.
  5b) Login fails and LoginError.jsp is shown to user.

HOWEVER, this is the (INCORRECT) sequence of events that I actually get:

  1) -- as before --
  2) -- as before --
  3) -- as before --
  4) -- as before --
  5a) Login succeeds and directory contents is shown to user.
  5b) Login fails and directory contents is shown to user.

Note the same (WRONG) thing happens whether or not the user authenticates 
properly. The directory contents is the list of JSP files that I have in /app.


So ... what's wrong here? It redirects to my login form correctly. It just 
doesn't behave properly when I actually do the login (hit 
"j_security_check" with "j_username" and "j_password"). This is the 
relevant section of my web.xml file:

     <security-constraint>
         <web-resource-collection>
             <web-resource-name>LoginTrigger</web-resource-name>
             <description>LoginTrigger</description>
             <url-pattern>/SecuredPage.jsp</url-pattern>
             <http-method>GET</http-method>
             <http-method>POST</http-method>
         </web-resource-collection>
         <auth-constraint>
             <role-name>myuser</role-name>
         </auth-constraint>
     </security-constraint>

     <login-config>
         <auth-method>FORM</auth-method>
         <form-login-config>
             <form-login-page>LoginForm.jsp</form-login-page>
             <form-error-page>LoginError.jsp</form-error-page>
         </form-login-config>
     </login-config>

     <security-role>
             <role-name>myuser</role-name>
     </security-role>

Reply via email to