see inline
> -----Original Message-----
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]]On Behalf Of Gerald
> Gutierrez
> Sent: Tuesday, February 06, 2001 12:52 AM
> To: Orion-Interest
> Cc: [EMAIL PROTECTED]
> Subject: Form-based authentication not working right
>
>
>
> Recently I asked about form-based authentication. I
> appreciate the help
> several people gave, but from the responses I got it seems
> that I might
> have miscommunicated somehow. I'm going to try again, this
> time explaining
> myself better.
>
> I'm using Orion 1.4.5 on Windows 2000. The same thing happens
> on Orion 1.3.8.
> I have a number of JSP pages in the directory /app:
>
> MainMenu.jsp -- the main menu
> SecuredPage.jsp -- a secured page, see only when authenticated
> LoginForm.jsp -- form for logging in
> LoginError.jsp -- form displayed when there's an error
>
> The user goes to MainMenu.jsp, where there is a link to
> SecuredPage.jsp. To
> view this page, the user must be authenticated. The authenticated is
> form-based.
>
> This is what should (CORRECTLY) happen:
>
> 1) User goes to MainMenu.jsp.
> 2) User clicks on link to SecuredPage.jsp.
> 3) User is presented with LoginForm.jsp.
> 4) User types in username and password.
> 5a) Login succeeds and SecuredPage.jsp is shown to user.
> 5b) Login fails and LoginError.jsp is shown to user.
>
> HOWEVER, this is the (INCORRECT) sequence of events that I
> actually get:
>
> 1) -- as before --
> 2) -- as before --
> 3) -- as before --
> 4) -- as before --
> 5a) Login succeeds and directory contents is shown to user.
> 5b) Login fails and directory contents is shown to user.
>
> Note the same (WRONG) thing happens whether or not the user
> authenticates
> properly. The directory contents is the list of JSP files
> that I have in /app.
>
>
> So ... what's wrong here? It redirects to my login form
> correctly. It just
> doesn't behave properly when I actually do the login (hit
> "j_security_check" with "j_username" and "j_password"). This is the
> relevant section of my web.xml file:
>
> <security-constraint>
> <web-resource-collection>
> <web-resource-name>LoginTrigger</web-resource-name>
> <description>LoginTrigger</description>
> <url-pattern>/SecuredPage.jsp</url-pattern>
According to the servlet spec (chapter 10) this should work as an exact
match. You could however try moving SecuredPage.jsp to a directory 'secure'
and use the pattern /secure/* this is what I use and it is certainly working
in 1.4.5
> <http-method>GET</http-method>
> <http-method>POST</http-method>
While experimenting you could also try to leave out these http-method
definitions, so you fall back to the default which is all methods. Again
that is my setup. The rest looks very familiar so it should work.
> </web-resource-collection>
> <auth-constraint>
> <role-name>myuser</role-name>
> </auth-constraint>
> </security-constraint>
>
> <login-config>
> <auth-method>FORM</auth-method>
> <form-login-config>
> <form-login-page>LoginForm.jsp</form-login-page>
> <form-error-page>LoginError.jsp</form-error-page>
> </form-login-config>
> </login-config>
>
> <security-role>
> <role-name>myuser</role-name>
> </security-role>
>
>
>