Recently I asked about form-based authentication. I appreciate the help
several people gave, but from the responses I got it seems that I might
have miscommunicated somehow. I'm going to try again, this time explaining
myself better.
I'm using Orion 1.4.5 on Windows 2000. The same thing happens on Orion 1.3.8.
I have a number of JSP pages in the directory /app:
MainMenu.jsp -- the main menu
SecuredPage.jsp -- a secured page, see only when authenticated
LoginForm.jsp -- form for logging in
LoginError.jsp -- form displayed when there's an error
The user goes to MainMenu.jsp, where there is a link to SecuredPage.jsp. To
view this page, the user must be authenticated. The authenticated is
form-based.
This is what should (CORRECTLY) happen:
1) User goes to MainMenu.jsp.
2) User clicks on link to SecuredPage.jsp.
3) User is presented with LoginForm.jsp.
4) User types in username and password.
5a) Login succeeds and SecuredPage.jsp is shown to user.
5b) Login fails and LoginError.jsp is shown to user.
HOWEVER, this is the (INCORRECT) sequence of events that I actually get:
1) -- as before --
2) -- as before --
3) -- as before --
4) -- as before --
5a) Login succeeds and directory contents is shown to user.
5b) Login fails and directory contents is shown to user.
Note the same (WRONG) thing happens whether or not the user authenticates
properly. The directory contents is the list of JSP files that I have in /app.
So ... what's wrong here? It redirects to my login form correctly. It just
doesn't behave properly when I actually do the login (hit
"j_security_check" with "j_username" and "j_password"). This is the
relevant section of my web.xml file:
<security-constraint>
<web-resource-collection>
<web-resource-name>LoginTrigger</web-resource-name>
<description>LoginTrigger</description>
<url-pattern>/SecuredPage.jsp</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>myuser</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>LoginForm.jsp</form-login-page>
<form-error-page>LoginError.jsp</form-error-page>
</form-login-config>
</login-config>
<security-role>
<role-name>myuser</role-name>
</security-role>