Bug in FormAuthenticator? Revised
Revision of original post...
ooops.. I got something backwards...
private String savedRequestURL(Session session) {
...snip
if (saved == null) {
// where config.getDefaultPage returns a page URL to
// go to if the Login page was requested directly
// (no request was saved). I suppose this would be set
// the same way the LoginPage URL was specified
return config.getDefaultPage();
}
...snip
}
403 error-page N/W : I guess its just me
Is it just me? Does anybody have tomcat working with a custom 403 page? If not, this seems like a big problem. Any help greatly appreciated... This is really screwing up my login flow. Thanks... ...Casey From Sunday's post... I'm trying to get tomcat to use my 403 forbidden error page. I've had no luck with it so far. My 404 page works fine. I have this problem even if I turn off IE friendly error messages. Using tomcat 4.0b7, JDBCRealm (against mySQL), running on Linux. from web-xml : error-page error-code404/error-code location/security/status/notfound.jsp/location /error-page error-page error-code403/error-code location/security/status/forbidden.jsp/location /error-page from localhost_access_log : (Here's where I hit a forbidden page)... 192.168.1.100 - - [26/Aug/2001:13:14:13 -0600] POST /security/j_security_check HTTP/1.1 302 - 192.168.1.100 - guest [26/Aug/2001:13:14:13 -0600] GET /secured/index.jsp HTTP/ 1.1 403 - (Here's where I hit a page that doesn't exist)... 192.168.1.100 - guest [26/Aug/2001:13:14:30 -0600] GET /asdasdas HTTP/1.1 200 1561 from catalina.out XmlMapper: new null org.apache.catalina.deploy.ErrorPage error-page ErrorPage[er rorCode=0, location=null] XmlMapper: org.apache.catalina.deploy.ErrorPage.setErrorCode( 403) XmlMapper: org.apache.catalina.deploy.ErrorPage.setLocation( /security/status/fo rbidden.jsp) XmlMapper: Calling org.apache.catalina.core.StandardContext.addErrorPage ErrorPa ge[errorCode=403, location=/security/status/forbidden.jsp] XmlMapper: pop error-page org.apache.catalina.deploy.ErrorPage: ErrorPage[errorC ode=403, location=/security/status/forbidden.jsp]
How to force authentication from JSP?
Is there a way to force a user to be authenticates as 'Guest' for example? Running Tomcat 4.0b7.. JDBCRealm... Is it possible for a JSP (not through javascript) to do something along the following lines : jsp:forward page=j_security_check jsp:param name=j_username value=%=p_username% / jsp:param name=j_password value=%=p_password% / /jsp:forward The above doesn't work... 404 error.. which seems logical since j_security_check isn't not really a page. What I really need this for is where I have a 'Create new user account' page. Once the account is created I should have already logged the user in for convenience. I know this has been asked before, but I couldn't find the answer in the archives. Thanks so much for your help! ...Casey
Follow Up: 403 error-page N/W
I found one more detail... My 403 error page works if the 403 is caused by a filter, but it doesn't work if caused by JDBCRealm. consider the file /secured/junk.html - which is protected by a security constraint which is Form based and tied to JDBCRealm (I'm sure that's bad wording... I hope you get the idea...) - if I login as a user with the correct role to access /secured/junk.html, but I force my filter to cause a 403 for that file, my 403 error page is displayed correctly. - if I login as a user WITHOUT the correct role to access /secures/junk.html, my custom 403 error page is NOT accessed. - if I login as a user WITHOUT the correct role to access /secures/junk.html, and I force my filter to cause a 403 for that file, my custom 403 error page is still NOT accessed. Hopefully I've given some good clues now... Thanks.. ...Casey -Original Message- From: Bragg, Casey [mailto:[EMAIL PROTECTED]] Sent: Monday, August 27, 2001 8:56 PM To: [EMAIL PROTECTED] Subject: 403 error-page N/W : I guess its just me Is it just me? Does anybody have tomcat working with a custom 403 page? If not, this seems like a big problem. Any help greatly appreciated... This is really screwing up my login flow. Thanks... ...Casey From Sunday's post... I'm trying to get tomcat to use my 403 forbidden error page. I've had no luck with it so far. My 404 page works fine. I have this problem even if I turn off IE friendly error messages. Using tomcat 4.0b7, JDBCRealm (against mySQL), running on Linux. from web-xml : error-page error-code404/error-code location/security/status/notfound.jsp/location /error-page error-page error-code403/error-code location/security/status/forbidden.jsp/location /error-page from localhost_access_log : (Here's where I hit a forbidden page)... 192.168.1.100 - - [26/Aug/2001:13:14:13 -0600] POST /security/j_security_check HTTP/1.1 302 - 192.168.1.100 - guest [26/Aug/2001:13:14:13 -0600] GET /secured/index.jsp HTTP/ 1.1 403 - (Here's where I hit a page that doesn't exist)... 192.168.1.100 - guest [26/Aug/2001:13:14:30 -0600] GET /asdasdas HTTP/1.1 200 1561 from catalina.out XmlMapper: new null org.apache.catalina.deploy.ErrorPage error-page ErrorPage[er rorCode=0, location=null] XmlMapper: org.apache.catalina.deploy.ErrorPage.setErrorCode( 403) XmlMapper: org.apache.catalina.deploy.ErrorPage.setLocation( /security/status/fo rbidden.jsp) XmlMapper: Calling org.apache.catalina.core.StandardContext.addErrorPage ErrorPa ge[errorCode=403, location=/security/status/forbidden.jsp] XmlMapper: pop error-page org.apache.catalina.deploy.ErrorPage: ErrorPage[errorC ode=403, location=/security/status/forbidden.jsp]
Suggested change to JNDIRealm
I've written a modification of org.apache.catalina.realm.JNDIRealm.getRoles to allow for the following : If the realm descriptor's roleBase (in server.xml) is null or blank, JNDIRealm will retrieve the assigned roles list from the attribute owned by the user's DN which is specified in roleName. That's hard to read. Here is an example. Given an authenticated user with DN uid=FreakyWill,ou=mycompany Given that the node uid=FreakyWill,ou=mycompany contains the following attributes memberof=beerusers memberof=freakyusers Given the following Realm descriptor entries : roleBase= roleName=memberof JNDIRealm.getRoles will return the roles beerusers and freakyusers by simply retrieving the userDN's memberof attribute. If roleBase is populated (not null + length0), JNDI will maintain its prior functionality to retrieve roles. Any comments? My LDAP implementation requires this functionality. Should I submit this code to the tomcat project somehow? Thanks... ...Casey == Casey Bragg - Software Engineer Allegiance Telecom, Inc. Dallas, TX 469-259-2702 - [EMAIL PROTECTED] ==
