Re: [JBoss-user] Jetty and form based authentication
Not if understand the messages at the forum correctly. You can configure a role to be granted to unauthenticated users. Thanks for the input, Silvester > But then everyone would have to log in to access any of your pages. If > you need to know who the user is on all pages (if they're logged in) why > don't you just, on successful login (ie: there is a non-null Principal > in the request), stuff it into the httpsession yourself, then access > that variable from your pages? It gets cleared out on logout (ie: > session.invalidate()). If you don't have a single servlet controller > that fronts your app to put the Principal in the session, you could > instead do it via a javax.servlet.Filter that is configured to intercept > everything in your servlet context. > > Hope this helps, > David > > -- > > Mensaje citado por Silvester van der Bijl <[EMAIL PROTECTED]>: > >> I just found my answer on the jboss forums. It seems jetty is supposed >> to return null in getUserPrincipal on unprotected pages. >> >> Solution seems to be to create a special guest role which is granted >> to all visitors by the login module and make every resources >> protected. >> >> Silvester >> >> >> >> > Hello, >> > >> > I'm (still) trying to implement a web application for my school >> project. The idea is that everybody is allowed to see e.g. the >> default page (news), but only authenticated users can e.g. access >> grades. >> > >> > So far, no problem. >> > >> > The web application builds up a menu based on the roles the user >> has. If the user isn't authenticated the menu won't display items >> for which the user has no privileges. >> > >> > On each page there is a login box with a target of j_security_check. >> Here I encountered the first problem. Jetty (and Tomcat) don't >> support direct requests to the login page (which I'm doing). >> > >> > Browsing through the sourcecode of jetty I found that jetty checks a >> session variabele called org.mortbay.jetty.URI to see where it >> should redirect the request after a succesfull login (see code below >> for snippet from FormAuthenticator). >> > >> > If I set this session variabele from my pages, all works fine. >> Except getUserPrincipal only returns the principal when accessing a >> protected resource. >> > >> > This is definitely not what I want. I want to be able to tell who is >> viewing a page even if no security restrictions apply. Does anyone >> know how to change this behavior ? >> > >> > Thx in advance. > > > --- > This SF.net email is sponsored by: Scholarships for Techies! > Can't afford IT training? All 2003 ictp students receive scholarships. > Get hands-on training in Microsoft, Cisco, Sun, Linux/UNIX, and more. > www.ictp.com/training/sourceforge.asp > ___ > JBoss-user mailing list > [EMAIL PROTECTED] > https://lists.sourceforge.net/lists/listinfo/jboss-user --- This SF.net email is sponsored by: Scholarships for Techies! Can't afford IT training? All 2003 ictp students receive scholarships. Get hands-on training in Microsoft, Cisco, Sun, Linux/UNIX, and more. www.ictp.com/training/sourceforge.asp ___ JBoss-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-user
Re: [JBoss-user] Jetty and form based authentication
I just found my answer on the jboss forums. It seems jetty is supposed to return null in getUserPrincipal on unprotected pages. Solution seems to be to create a special guest role which is granted to all visitors by the login module and make every resources protected. Silvester > Hello, > > I'm (still) trying to implement a web application for my school project. > The idea is that everybody is allowed to see e.g. the default page > (news), but only authenticated users can e.g. access grades. > > So far, no problem. > > The web application builds up a menu based on the roles the user has. If > the user isn't authenticated the menu won't display items for which the > user has no privileges. > > On each page there is a login box with a target of j_security_check. > Here I encountered the first problem. Jetty (and Tomcat) don't support > direct requests to the login page (which I'm doing). > > Browsing through the sourcecode of jetty I found that jetty checks a > session variabele called org.mortbay.jetty.URI to see where it should > redirect the request after a succesfull login (see code below for > snippet from FormAuthenticator). > > If I set this session variabele from my pages, all works fine. Except > getUserPrincipal only returns the principal when accessing a protected > resource. > > This is definitely not what I want. I want to be able to tell who is > viewing a page even if no security restrictions apply. Does anyone know > how to change this behavior ? > > Thx in advance. > > > > > CODE FROM FormAuthenticator > >public UserPrincipal authenticated(UserRealm realm, >String pathInContext, >HttpRequest httpRequest, >HttpResponse httpResponse) > throws IOException > { > HttpServletRequest request > =(ServletHttpRequest)httpRequest.getWrapper(); > HttpServletResponse response =(HttpServletResponse) > httpResponse.getWrapper(); > > // Handle paths > String uri = pathInContext; > > // Setup session > HttpSession session=request.getSession(true); > > // Handle a request for authentication. > if ( > uri.substring(uri.lastIndexOf("/")+1).startsWith(__J_SECURITY_CHECK) ) > { > // Check the session object for login info. > String username = request.getParameter(__J_USERNAME); > String password = request.getParameter(__J_PASSWORD); > > UserPrincipal user > realm.authenticate(username,password,httpRequest); String > nuri=(String)session.getAttribute(__J_URI); > if (user!=null && nuri!=null) > { > Code.debug("Form authentication OK for ",username); > httpRequest.setAuthType(SecurityConstraint.__FORM_AUTH); > httpRequest.setAuthUser(username); > httpRequest.setUserPrincipal(user); > session.setAttribute(__J_AUTHENTICATED,user); > response.sendRedirect(response.encodeRedirectURL(nuri)); > } > else > { > Code.debug("Form authentication FAILED for ",username); > if (_formErrorPage!=null) > response.sendRedirect(response.encodeRedirectURL > (URI.addPaths(request.getContextPath(), > _formErrorPage))); > else > response.sendError(HttpResponse.__403_Forbidden); > } > > // Security check is always false, only true after final > redirection. > return null; > } > > // Check if the session is already authenticated. > UserPrincipal user = (UserPrincipal) > session.getAttribute(__J_AUTHENTICATED); > if (user != null) > { > if (user.isAuthenticated()) > { > Code.debug("FORM Authenticated for ",user.getName()); > httpRequest.setAuthType(SecurityConstraint.__FORM_AUTH); > httpRequest.setAuthUser(user.getName()); > httpRequest.setUserPrincipal(user); > return user; > } > } > > // Don't authenticate authform or errorpage > if (pathInContext!=null && > pathInContext.equals(_formErrorPage) || > pathInContext.equals(_formLoginPage)) > return SecurityConstraint.__NOBODY; > > // redirect to login page > if (httpRequest.getQuery()!=null) > uri+="?"+httpRequest.getQuery(); > session.setAttribute(__J_URI, > URI.addPaths(request.getContextPath(),uri)); > > response.sendRedirect(response.encodeRedirectURL(URI.addPaths(request.getContextPath(), >_formLoginPage))); > return null; > } > > > > > > > --- > This sf.net email is sponsored by:
Re: [JBoss-user] Form based authentication
Hello, You're doing exactly what I want to do, only I want to use container managed security. If I understand you correctly you don't use container managed security (web.xml) and you verify usernames and password against e.g. a dabase yourself ? The reason why I want to do this, is because the web application is just one of the applications talking to session beans (all protected or using roles from a custom login module). Silvester > I can share what we do using form-based authentication. We've rolled > our own authentication mechanism, and have JBoss and Tomcat on different > servers. This may be what you mean by "login form on each page" - I'm > not clear. At any rate, at the top of each page, the developer has > > <%@ include file="/common/html/authenheader.jsp" %> > > and at the bottom is > > <%@ include file="/common/html/authentrailer.jsp" %> > > The header opens a try block. In there, it checks the session to see if > the user is logged on. If not, it stores request.getRequestURI in the > session and redirects to login_form.jsp. In login_hdlr.jsp, if the > userid and password validate, the session is updated and a redirect to > the stored target is executed. authentrailer closes the try block and > handles exceptions. > > - Original Message - > From: "Silvester van der Bijl" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Monday, February 24, 2003 8:22 PM > Subject: Re: [JBoss-user] Form based authentication > > > David, > > Thanks for the suggestion. I do have a login form on each page (that is > until the user logs in :-) ). I did think of something like you're > describing, but I just figured there had to be a better way. > > I found some more information on that AuthenticationInterceptor, but as > far I can figure, you can't tell JBoss/Jetty to use a different > interceptor for this. > > Besides, it seems kind of overkill to write a custom class just to allow > direct requests to a login page > > Any other thoughts ? > > Silvester > > >> Silvester, >> >> I'll share what I do. I have a single servlet that is a central >> controller that delegates processing and dispatches requests to jp's >> (based on pathInfo). However, *I have 2 servlet mappings to it*. >> >> /myapp/web/pathInfo - myapp is the context, web is the servlet, > pathInfo >> (and request params) tell me how to process and where to request >> dispatch to. >> >> /myapp/sweb/pathInfo - same as above except sweb (notice the "s") is a >> different mapping *to the same servlet*, except it also is a web >> protected resource. >> >> I have a dynamic login/logout link on each page (based on principal in >> request), which simply links back to itself except replacing "web" > with >> "sweb". After the user logs in, he/she ends up visually back to where >> he/she started, though the path in the url is a bit different. >> >> Now, it sounds like you have an actual login form on each of your > pages. >> I've not done that, but I'm guessing you could do the same thing as > me, >> except just pass along the username and password to a dummy login with >> no display that onLoad (JavaScript) simply submits for you. But 1) > that >> seems hokey, and 2) you would want to make sure you're using SSL >> otherwise your username and password are plain-text'ing over the net. >> What do other people do in this circumstance? >> >> David >> >> -- >> >> Mensaje citado por Silvester van der Bijl > <[EMAIL PROTECTED]>: >> >>> Hi there, >>> >>> We've got a web application which on each page displays a login box > if >>> the user isn't authenticated, or otherwise his personal menu, etc... >>> >>> The problem is, that after succesfully authenticating a user >>> (j_security_check target), jetty doesn't know where to redirect the >>> user to since I made a direct request to the login page (sort of). >>> >>> Shouldn't there be an additional property for j_security_check, like >>> j_onsuccess_redirect_to ? >>> >>> Does anyone know of a workaround for this problem ? I've read about >>> using a custom AuthenticationInterceptor, only I can't find where > this >>> interceptor is configured ? >>> >>> Please help. >>> Silvester >> >> >> --- >> This sf.ne
[JBoss-user] Jetty and form based authentication
Hello, I'm (still) trying to implement a web application for my school project. The idea is that everybody is allowed to see e.g. the default page (news), but only authenticated users can e.g. access grades. So far, no problem. The web application builds up a menu based on the roles the user has. If the user isn't authenticated the menu won't display items for which the user has no privileges. On each page there is a login box with a target of j_security_check. Here I encountered the first problem. Jetty (and Tomcat) don't support direct requests to the login page (which I'm doing). Browsing through the sourcecode of jetty I found that jetty checks a session variabele called org.mortbay.jetty.URI to see where it should redirect the request after a succesfull login (see code below for snippet from FormAuthenticator). If I set this session variabele from my pages, all works fine. Except getUserPrincipal only returns the principal when accessing a protected resource. This is definitely not what I want. I want to be able to tell who is viewing a page even if no security restrictions apply. Does anyone know how to change this behavior ? Thx in advance. CODE FROM FormAuthenticator public UserPrincipal authenticated(UserRealm realm, String pathInContext, HttpRequest httpRequest, HttpResponse httpResponse) throws IOException { HttpServletRequest request =(ServletHttpRequest)httpRequest.getWrapper(); HttpServletResponse response =(HttpServletResponse) httpResponse.getWrapper(); // Handle paths String uri = pathInContext; // Setup session HttpSession session=request.getSession(true); // Handle a request for authentication. if ( uri.substring(uri.lastIndexOf("/")+1).startsWith(__J_SECURITY_CHECK) ) { // Check the session object for login info. String username = request.getParameter(__J_USERNAME); String password = request.getParameter(__J_PASSWORD); UserPrincipal user = realm.authenticate(username,password,httpRequest); String nuri=(String)session.getAttribute(__J_URI); if (user!=null && nuri!=null) { Code.debug("Form authentication OK for ",username); httpRequest.setAuthType(SecurityConstraint.__FORM_AUTH); httpRequest.setAuthUser(username); httpRequest.setUserPrincipal(user); session.setAttribute(__J_AUTHENTICATED,user); response.sendRedirect(response.encodeRedirectURL(nuri)); } else { Code.debug("Form authentication FAILED for ",username); if (_formErrorPage!=null) response.sendRedirect(response.encodeRedirectURL (URI.addPaths(request.getContextPath(), _formErrorPage))); else response.sendError(HttpResponse.__403_Forbidden); } // Security check is always false, only true after final redirection. return null; } // Check if the session is already authenticated. UserPrincipal user = (UserPrincipal) session.getAttribute(__J_AUTHENTICATED); if (user != null) { if (user.isAuthenticated()) { Code.debug("FORM Authenticated for ",user.getName()); httpRequest.setAuthType(SecurityConstraint.__FORM_AUTH); httpRequest.setAuthUser(user.getName()); httpRequest.setUserPrincipal(user); return user; } } // Don't authenticate authform or errorpage if (pathInContext!=null && pathInContext.equals(_formErrorPage) || pathInContext.equals(_formLoginPage)) return SecurityConstraint.__NOBODY; // redirect to login page if (httpRequest.getQuery()!=null) uri+="?"+httpRequest.getQuery(); session.setAttribute(__J_URI, URI.addPaths(request.getContextPath(),uri)); response.sendRedirect(response.encodeRedirectURL(URI.addPaths(request.getContextPath(), _formLoginPage))); return null; } --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf ___ JBoss-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-user
Re: [JBoss-user] Form based authentication
David, Thanks for the suggestion. I do have a login form on each page (that is until the user logs in :-) ). I did think of something like you're describing, but I just figured there had to be a better way. I found some more information on that AuthenticationInterceptor, but as far I can figure, you can't tell JBoss/Jetty to use a different interceptor for this. Besides, it seems kind of overkill to write a custom class just to allow direct requests to a login page Any other thoughts ? Silvester > Silvester, > > I'll share what I do. I have a single servlet that is a central > controller that delegates processing and dispatches requests to jp's > (based on pathInfo). However, *I have 2 servlet mappings to it*. > > /myapp/web/pathInfo - myapp is the context, web is the servlet, pathInfo > (and request params) tell me how to process and where to request > dispatch to. > > /myapp/sweb/pathInfo - same as above except sweb (notice the "s") is a > different mapping *to the same servlet*, except it also is a web > protected resource. > > I have a dynamic login/logout link on each page (based on principal in > request), which simply links back to itself except replacing "web" with > "sweb". After the user logs in, he/she ends up visually back to where > he/she started, though the path in the url is a bit different. > > Now, it sounds like you have an actual login form on each of your pages. > I've not done that, but I'm guessing you could do the same thing as me, > except just pass along the username and password to a dummy login with > no display that onLoad (JavaScript) simply submits for you. But 1) that > seems hokey, and 2) you would want to make sure you're using SSL > otherwise your username and password are plain-text'ing over the net. > What do other people do in this circumstance? > > David > > -- > > Mensaje citado por Silvester van der Bijl <[EMAIL PROTECTED]>: > >> Hi there, >> >> We've got a web application which on each page displays a login box if >> the user isn't authenticated, or otherwise his personal menu, etc... >> >> The problem is, that after succesfully authenticating a user >> (j_security_check target), jetty doesn't know where to redirect the >> user to since I made a direct request to the login page (sort of). >> >> Shouldn't there be an additional property for j_security_check, like >> j_onsuccess_redirect_to ? >> >> Does anyone know of a workaround for this problem ? I've read about >> using a custom AuthenticationInterceptor, only I can't find where this >> interceptor is configured ? >> >> Please help. >> Silvester > > > --- > This sf.net email is sponsored by:ThinkGeek > Welcome to geek heaven. > http://thinkgeek.com/sf > ___ > JBoss-user mailing list > [EMAIL PROTECTED] > https://lists.sourceforge.net/lists/listinfo/jboss-user --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf ___ JBoss-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-user
[JBoss-user] Form based authentication
Hi there, We've got a web application which on each page displays a login box if the user isn't authenticated, or otherwise his personal menu, etc... The problem is, that after succesfully authenticating a user (j_security_check target), jetty doesn't know where to redirect the user to since I made a direct request to the login page (sort of). Shouldn't there be an additional property for j_security_check, like j_onsuccess_redirect_to ? Does anyone know of a workaround for this problem ? I've read about using a custom AuthenticationInterceptor, only I can't find where this interceptor is configured ? Please help. Silvester --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf ___ JBoss-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-user
Re: [JBoss-user] Random loss of principal
Version 3.0.4 with tomcat 4.1.12. Weird though, after keeping JBoss running for a couple of hours the problem seems to disappear. I'm going to try the 3.0.5 release and see if I keep getting the same exceptions. Silvester On Tue, 2003-01-14 at 06:31, Scott M Stark wrote: > With what version? Prior to 3.0.4 there were a couple of scenarios under which > a principal could be lost when a user login had multiple threads active. > > > Scott Stark > Chief Technology Officer > JBoss Group, LLC > > > - Original Message ----- > From: "Silvester van der Bijl" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Monday, January 13, 2003 7:47 PM > Subject: [JBoss-user] Random loss of principal > > > > hello all, > > > > kind of in trouble down here. For a school project we've written a set > > of session beans that allow us to store objects. The Beans could store > > the objects in a database, or in a file, depending on the size. > > > > Each object has it's own security, meaning that the roles which are > > authorized to view/delete/etc the object are stored with the object. > > > > One of the session beans serves images (yes even those are secured) to > > servlets, etc.. This all worked fine, until about two hours ago when i > > added a larger image. The servlet connects to the sessionbean and asks > > for the imagedata. The sessionbean finds the corresponding image and > > returns the image, well anyway, that's the idea. > > > > The problem is that it seems when asked repeatedly for an image, JBoss > > loses the principal, resulting in the exception at the bottom of this > > message. > > > > Does anyone know how to solve this problem ? I've even tried increasing > > the number of processors in tomcat. It looks similar to an error I had > > when not using the client-login module when connecting to ejb's from > > e.g. a scheduler class, but since it's a request from a servlet (with an > > authenticated user), this can't be the case, can it ? > > > > Please help. > > > > many thanks in advance, > > Silvester > > > > EJBException, causedBy: > > java.lang.SecurityException: Authentication exception, principal=null > > at > > >org.jboss.ejb.plugins.SecurityInterceptor.checkSecurityAssociation(SecurityInterceptor.java:173) > > at > > org.jboss.ejb.plugins.SecurityInterceptor.invokeHome(SecurityInterceptor.java:94) > > at > > org.jboss.ejb.plugins.LogInterceptor.invokeHome(LogInterceptor.java:129) > > at > > >org.jboss.ejb.StatelessSessionContainer.invokeHome(StatelessSessionContainer.java:300) > > at org.jboss.ejb.Container.invoke(Container.java:730) > > at > > org.jboss.mx.server.MBeanServerImpl.invoke(MBeanServerImpl.java:517) > > at > > org.jboss.invocation.local.LocalInvoker.invoke(LocalInvoker.java:98) > > at > > org.jboss.invocation.InvokerInterceptor.invoke(InvokerInterceptor.java:102) > > at > > org.jboss.proxy.TransactionInterceptor.invoke(TransactionInterceptor.java:77) > > at > > org.jboss.proxy.SecurityInterceptor.invoke(SecurityInterceptor.java:80) > > at > > org.jboss.proxy.ejb.HomeInterceptor.invoke(HomeInterceptor.java:198) > > at > > org.jboss.proxy.ClientContainer.invoke(ClientContainer.java:76) > > at $Proxy29.create(Unknown Source) > > at hildap.helpers.ImageList.processRequest(ImageList.java:136) > > at hildap.helpers.ImageList.doGet(ImageList.java:89) > > at javax.servlet.http.HttpServlet.service(HttpServlet.java:740) > > at javax.servlet.http.HttpServlet.service(HttpServlet.java:853) > > at > > >org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:247) > > at > > >org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:193) > > at > > org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:260) > > at > > >org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:643) > > at > > org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:480) > > at > > org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:995) > > at > > org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
[JBoss-user] Random loss of principal
hello all, kind of in trouble down here. For a school project we've written a set of session beans that allow us to store objects. The Beans could store the objects in a database, or in a file, depending on the size. Each object has it's own security, meaning that the roles which are authorized to view/delete/etc the object are stored with the object. One of the session beans serves images (yes even those are secured) to servlets, etc.. This all worked fine, until about two hours ago when i added a larger image. The servlet connects to the sessionbean and asks for the imagedata. The sessionbean finds the corresponding image and returns the image, well anyway, that's the idea. The problem is that it seems when asked repeatedly for an image, JBoss loses the principal, resulting in the exception at the bottom of this message. Does anyone know how to solve this problem ? I've even tried increasing the number of processors in tomcat. It looks similar to an error I had when not using the client-login module when connecting to ejb's from e.g. a scheduler class, but since it's a request from a servlet (with an authenticated user), this can't be the case, can it ? Please help. many thanks in advance, Silvester EJBException, causedBy: java.lang.SecurityException: Authentication exception, principal=null at org.jboss.ejb.plugins.SecurityInterceptor.checkSecurityAssociation(SecurityInterceptor.java:173) at org.jboss.ejb.plugins.SecurityInterceptor.invokeHome(SecurityInterceptor.java:94) at org.jboss.ejb.plugins.LogInterceptor.invokeHome(LogInterceptor.java:129) at org.jboss.ejb.StatelessSessionContainer.invokeHome(StatelessSessionContainer.java:300) at org.jboss.ejb.Container.invoke(Container.java:730) at org.jboss.mx.server.MBeanServerImpl.invoke(MBeanServerImpl.java:517) at org.jboss.invocation.local.LocalInvoker.invoke(LocalInvoker.java:98) at org.jboss.invocation.InvokerInterceptor.invoke(InvokerInterceptor.java:102) at org.jboss.proxy.TransactionInterceptor.invoke(TransactionInterceptor.java:77) at org.jboss.proxy.SecurityInterceptor.invoke(SecurityInterceptor.java:80) at org.jboss.proxy.ejb.HomeInterceptor.invoke(HomeInterceptor.java:198) at org.jboss.proxy.ClientContainer.invoke(ClientContainer.java:76) at $Proxy29.create(Unknown Source) at hildap.helpers.ImageList.processRequest(ImageList.java:136) at hildap.helpers.ImageList.doGet(ImageList.java:89) at javax.servlet.http.HttpServlet.service(HttpServlet.java:740) at javax.servlet.http.HttpServlet.service(HttpServlet.java:853) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:247) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:193) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:260) at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:643) at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:480) at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:995) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191) at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:643) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:471) at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:641) at org.apache.catalina.valves.CertificatesValve.invoke(CertificatesValve.java:246) at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:641) at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:480) at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:995) at org.apache.catalina.core.StandardContext.invoke(StandardContext.java:2396) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:180) at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:643) at org.apache.catalina.valves.ErrorDispatcherValve.invoke(ErrorDispatcherValve.java:170) at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:641) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:172) at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:641) at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:469) at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:641)