Re: [JBoss-user] Re: update on automatic login
I think what Tomcat does after a post to j_security_check is look inside the user session (private to the container - org.apache.catalina.Session) for an attribute containing the original page that the user was trying to access. If it cannot find it throws an error 400. What you can do is have a custom 400 error page that redirects to somewhere. For details see org.apache.catalina.authenticator.FormAuthenticator where Constants.FORM_ACTION = j_security_check . // Redirect the user to the original request URI (which will cause // the original request to be restored) requestURI = savedRequestURL(session); if (debug = 1) log(Redirecting to original ' + requestURI + '); if (requestURI == null) hres.sendError(HttpServletResponse.SC_BAD_REQUEST, sm.getString(authenticator.formlogin)); else hres.sendRedirect(hres.encodeRedirectURL(requestURI)); return (false); And HttpServletResponse.SC_BAD_REQUEST=400 Hope it helps Simone - Original Message - From: Ken Yee [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, March 05, 2003 5:43 PM Subject: [JBoss-user] Re: update on automatic login FYI, if you access your form based login page (mine is called login.jsp) directly from a browser, you can submit it and Tomcat/JBoss complains that Invalid direct reference to form login page but the user is still logged in (I can access a restricted URL w/o a login prompt), so it looks like that post to login page from automatic login servlet workaround will work, but it may be depending on a bug in Tomcat/JBoss... ken ___ Join Excite! - http://www.excite.com The most personalized portal on the Web! --- This SF.net email is sponsored by: Etnus, makers of TotalView, The debugger for complex code. Debugging C/C++ programs can leave you feeling lost and disoriented. TotalView can help you find your way. Available on major UNIX and Linux platforms. Try it free. www.etnus.com ___ JBoss-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-user --- This SF.net email is sponsored by: Etnus, makers of TotalView, The debugger for complex code. Debugging C/C++ programs can leave you feeling lost and disoriented. TotalView can help you find your way. Available on major UNIX and Linux platforms. Try it free. www.etnus.com ___ JBoss-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-user
Re: [JBoss-user] Re: update on automatic login
Neal Sanche [EMAIL PROTECTED] writes: Well, I've not actually tried using a servlet to do a POST to the login page. In my old company, an applet was doing the POST, and the I've done posts from applets to upload files before too...just didn't think this would work for automatic login because I thought it'd do something weird under the hood. FYI, it does work in testing of a restricted URL to a servlet. The user and roles get loaded properly from JBoss. The only oddity is that I get a 400 error response from Tomcat when doing this. I think it sets some session variable to tag the login so it knows where to send the user after the login completes because there is no such value stored as a query or form variable. Time to test a restricted EJB method to see if it really logged into JBoss (the servlet test only tests login to Tomcat)... ken ___ Join Excite! - http://www.excite.com The most personalized portal on the Web! --- This SF.net email is sponsored by: Etnus, makers of TotalView, The debugger for complex code. Debugging C/C++ programs can leave you feeling lost and disoriented. TotalView can help you find your way. Available on major UNIX and Linux platforms. Try it free. www.etnus.com ___ JBoss-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-user
Re: [JBoss-user] Re: update on automatic login
Simone Milani [EMAIL PROTECTED] writes: I think what Tomcat does after a post to j_security_check is look inside theser session (private to the container - org.apache.catalina.Session) for anttribute containing the original page that the user was trying to access. If it cannot find it throws an error 400. What you can do is have a custom00 error page that redirects to somewhere. Thanks. After reviewing the code in FormAuthenticator.java, I can safely say authentication does take place before it checks this info. Since I'm simulating the call to the login page inside my autologin servlet, this is ok and I can safely ignore the error. I just have to add a querystring parameter to my autologin servlet to jump to the proper page after it finishes authenticating. I also have to come up w/ a pseudo-standard username/roles session variable names since these values aren't filled in when you access an unprotected part of your web site. Please let me know if you folks know of any standard naming convention besides just putting in variables named UserName and Roles in the session :-) ken ___ Join Excite! - http://www.excite.com The most personalized portal on the Web! --- This SF.net email is sponsored by: Etnus, makers of TotalView, The debugger for complex code. Debugging C/C++ programs can leave you feeling lost and disoriented. TotalView can help you find your way. Available on major UNIX and Linux platforms. Try it free. www.etnus.com ___ JBoss-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-user
Re: [JBoss-user] Re: update on automatic login
Well, I've not actually tried using a servlet to do a POST to the login page. In my old company, an applet was doing the POST, and the rest came down to clever cookie manipulation. Best of luck with it. -Neal On Wednesday 05 March 2003 12:43 pm, Ken Yee wrote: FYI, if you access your form based login page (mine is called login.jsp) directly from a browser, you can submit it and Tomcat/JBoss complains that Invalid direct reference to form login page but the user is still logged in (I can access a restricted URL w/o a login prompt), so it looks like that post to login page from automatic login servlet workaround will work, but it may be depending on a bug in Tomcat/JBoss... ken ___ Join Excite! - http://www.excite.com The most personalized portal on the Web! --- This SF.net email is sponsored by: Etnus, makers of TotalView, The debugger for complex code. Debugging C/C++ programs can leave you feeling lost and disoriented. TotalView can help you find your way. Available on major UNIX and Linux platforms. Try it free. www.etnus.com ___ JBoss-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-user --- This SF.net email is sponsored by: Etnus, makers of TotalView, The debugger for complex code. Debugging C/C++ programs can leave you feeling lost and disoriented. TotalView can help you find your way. Available on major UNIX and Linux platforms. Try it free. www.etnus.com ___ JBoss-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-user