gerald, I have a configuration matching yours and it's working;
May I suggest a test?
If you will, add a user called 'jlorandi' and make it part of group
'myuser', and add an user 'dummy' but DON'T make him part of group 'myuser'
,then, could you please edit SecuredPage.jsp so it executes these printouts:
System.out.println("User:" + request.getRemoteUser() );
System.out.println("Role OK:" + request.isUserInRole("myuser") );
then browse your app:
open browser, login as 'jlorandi', note results, close browser
open browser, login as 'dummy', note results, close browser
open browser, login INCORRECTLY, note results, close browser
JP
> -----Original Message-----
> From: Gerald Gutierrez [mailto:[EMAIL PROTECTED]]
> Sent: Lunes, 05 de Febrero de 2001 20:52
> To: Orion-Interest
> Cc: [EMAIL PROTECTED]
> Subject: Form-based authentication not working right
>
>
>
> Recently I asked about form-based authentication. I
> appreciate the help
> several people gave, but from the responses I got it seems
> that I might
> have miscommunicated somehow. I'm going to try again, this
> time explaining
> myself better.
>
> I'm using Orion 1.4.5 on Windows 2000. The same thing happens
> on Orion 1.3.8.
> I have a number of JSP pages in the directory /app:
>
> MainMenu.jsp -- the main menu
> SecuredPage.jsp -- a secured page, see only when authenticated
> LoginForm.jsp -- form for logging in
> LoginError.jsp -- form displayed when there's an error
>
> The user goes to MainMenu.jsp, where there is a link to
> SecuredPage.jsp. To
> view this page, the user must be authenticated. The authenticated is
> form-based.
>
> This is what should (CORRECTLY) happen:
>
> 1) User goes to MainMenu.jsp.
> 2) User clicks on link to SecuredPage.jsp.
> 3) User is presented with LoginForm.jsp.
> 4) User types in username and password.
> 5a) Login succeeds and SecuredPage.jsp is shown to user.
> 5b) Login fails and LoginError.jsp is shown to user.
>
> HOWEVER, this is the (INCORRECT) sequence of events that I
> actually get:
>
> 1) -- as before --
> 2) -- as before --
> 3) -- as before --
> 4) -- as before --
> 5a) Login succeeds and directory contents is shown to user.
> 5b) Login fails and directory contents is shown to user.
>
> Note the same (WRONG) thing happens whether or not the user
> authenticates
> properly. The directory contents is the list of JSP files
> that I have in /app.
>
>
> So ... what's wrong here? It redirects to my login form
> correctly. It just
> doesn't behave properly when I actually do the login (hit
> "j_security_check" with "j_username" and "j_password"). This is the
> relevant section of my web.xml file:
>
> <security-constraint>
> <web-resource-collection>
> <web-resource-name>LoginTrigger</web-resource-name>
> <description>LoginTrigger</description>
> <url-pattern>/SecuredPage.jsp</url-pattern>
> <http-method>GET</http-method>
> <http-method>POST</http-method>
> </web-resource-collection>
> <auth-constraint>
> <role-name>myuser</role-name>
> </auth-constraint>
> </security-constraint>
>
> <login-config>
> <auth-method>FORM</auth-method>
> <form-login-config>
> <form-login-page>LoginForm.jsp</form-login-page>
> <form-error-page>LoginError.jsp</form-error-page>
> </form-login-config>
> </login-config>
>
> <security-role>
> <role-name>myuser</role-name>
> </security-role>
>
>
>
