Re: j_security_check sessions
AFAIK, no, there is no way to do it. Here at work we've built a whole security framework that works hand-in-hand with J2EE security, specifically to deal with shortcomings just like this. In our framework, we have a filter who has a couple of functions, and one of them is exactly what you describe. Since j_security_check is nothing but a servlet that a request is redirected to when intercepted, you still have the opportunity to have a filter fire, so you can grab j_username and j_password if you wish and stick them in session (assuming it is created already... you may have set things up to not have a session at that point). -- Frank W. Zammetti Founder and Chief Software Architect Omnytex Technologies http://www.omnytex.com On Mon, August 1, 2005 9:04 am, Chris Holden said: Hi, I am using the built in security constraints to password protect some directories in my app. It works fine, but I was wondering when someone uses the login form to get to the passworded directory or page, is it possible to get the username and/or password that the user submits in the j_security_check form? I'd like to be able to set a cookie or session variable with the persons username in after they log in so the next time they come back to the site they see a personalised greeting kind of thing. I've tried printing out all request attributes/parameters, session variables and cookies after and before login but apart from the sessionid there isnt anything set. Does anyone know how to do what I want? Cheers, Chris. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: j_security_check/ Realm question
See section SRV.12.3 Programmatic Security of the Servlet spec for the role link question. As for the welcome page - the spec wasn't meant to handle cases like this. The container protects resources. Once you try to access a protected resource - you mustr authenticate. Then you are passed to the protected resource, not to a different page. -Tim [EMAIL PROTECTED] wrote: Hi, I have a question for webapplication developer , I have already applied JDBcRealm but im confused between the security - constraints in the web.xml and the realm because in web.xml also web.xml we declare the security roles and also in database table so if we have say 5-10 differernt kind of users do we need to declare them in web.xml and also to create them in database ?? My second question is after the application authentication type FORM my action is =j_security_check how ever in i want to direct the user to some welcome jsp after succcessful log where do i need to mention that?? your help is appreciated thanks regards - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: j_security_check - Bookmarking the login page. A teaser!
Hi Adoni, No... you are not alone. I've been there too! My half hearted solution was to simply display a message on the login page asking them not to bookmark it. I think the proper solution would be to allow developers to specify a 'default' url along with the login and error urls. This page could then be displayed instead of the error page when there is no saved target url. You will probably also come across another non-obvious problem to do with form-based security. When people use download accelerators like 'GetRight' etc these programs attempt to download a given url. Unfortunately if the item they are trying to download falls under your protected region Tomcat will present them with the login page instead of the resource they were after. This will happen even if you have successfully logged in because as far as Tomcat is concerned the request came from a new and as yet not logged in session. Regards, David Legg Web Analyst - 3Dlabs - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: j_security_check - Bookmarking the login page. A teaser!
Just a noob firing off into the dark... Couldn't you have a small piece of code that checks for the session and if they are bringing up the login page directly (ie no session info) then take them to the index. I'm going to get this on my site too so I will interested in a solution. G. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: j_security_check - Bookmarking the login page. A teaser!
On 11/19/2003 01:08 PM Graham Reeds wrote: Just a noob firing off into the dark... Couldn't you have a small piece of code that checks for the session and if they are bringing up the login page directly (ie no session info) then take them to the index. No, 'fraid not, your app never gets to see requests to j_security_check - it's handled by tomcat beforehand. Adam -- struts 1.1 + tomcat 5.0.12 + java 1.4.2 Linux 2.4.20 RH9 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: j_security_check - Bookmarking the login page. A teaser!
Adam, On 11/19/2003 01:08 PM Graham Reeds wrote: Just a noob firing off into the dark... Couldn't you have a small piece of code that checks for the session and if they are bringing up the login page directly (ie no session info) then take them to the index. No, 'fraid not, your app never gets to see requests to j_security_check - it's handled by tomcat beforehand. Right, and the user never sees this URL. They're talking about intercepting the request for the login *page*, not the j_security_check request. -chris - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: j_security_check - Bookmarking the login page. A teaser!
Actually one of my first attempts at a solution was this in reverse. I was saying if there is a session take them on in to the main menu page. This does not work either though as if there was no session and they had only called this page (say from a bookmark) they were still stuck. The reason your way does not work is given by another response. Andoni. - Original Message - From: Graham Reeds [EMAIL PROTECTED] To: Tomcat Users List [EMAIL PROTECTED] Sent: Wednesday, November 19, 2003 12:08 PM Subject: Re: j_security_check - Bookmarking the login page. A teaser! Just a noob firing off into the dark... Couldn't you have a small piece of code that checks for the session and if they are bringing up the login page directly (ie no session info) then take them to the index. I'm going to get this on my site too so I will interested in a solution. G. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: j_security_check - Bookmarking the login page. A teaser!
The bookmarking of the login page is a well known issue. However,
without dumping CMS there seems to be little to do but resort to a few
hacks ;(
Our hack pt1:
Add to the top of the login page a redirect to a sensible entry point
for the app:
% if (request.getSession(false).isNew())
response.sendRedirect(/index.jsp); %
Our hack pt2:
Add an error page that catches the 'illegal direct reference to login
page' (or whatever it is). Use this error page to redirect to a sensible
entry point to the app.
eg:
% Object badUri = request.getAttribute(javax.servlet.error.request_uri);
Object errorCode =
request.getAttribute(javax.servlet.error.status_code);
if (/j_security_check.equalsIgnoreCase(badUri.toString())
400.equals(errorCode.toString())) {
response.sendRedirect(/index.jsp);
return;
}
%
Pt 2 also catches things like a user sitting on the login page until the
session times out.
HTH,
Jon
David Legg wrote:
Hi Adoni,
No... you are not alone. I've been there too!
My half hearted solution was to simply display a message on the login page
asking them not to bookmark it. I think the proper solution would be to
allow developers to specify a 'default' url along with the login and error
urls. This page could then be displayed instead of the error page when
there is no saved target url.
You will probably also come across another non-obvious problem to do with
form-based security. When people use download accelerators like 'GetRight'
etc these programs attempt to download a given url. Unfortunately if the
item they are trying to download falls under your protected region Tomcat
will present them with the login page instead of the resource they were
after. This will happen even if you have successfully logged in because as
far as Tomcat is concerned the request came from a new and as yet not logged
in session.
Regards,
David Legg
Web Analyst - 3Dlabs
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
RE: j_security_check - Bookmarking the login page. A teaser!
Andoni:
Which version of Tomcat do you use? On Tomcat 5.0.14, if you access a
protected page, the web browser displays the login page, but in the
address field, the browser continues to list the protected page address.
If you bookmark the page, your browser stores the address of the
protected page, not the login page.
As a consequence of the browser preserving the protected page address,
but displaying the login page, the browser continues to display links
and images relative to the protected page's URL. As the protected page
may be located in any protected path, your login page may not properly
display images or import stylesheets located in other unprotected areas,
including those in the same directory as the login page. In order to
guarantee that the login page refers correctly to these unprotected
objects, the login page must refer to them using addresses relative to
the application context (in the address
http://www.mytomcatsite.net/myapp, myapp is the context). For
example, you could use the JSTL c:url tag to set the context address
(URL) and refer to objects relative to this address:
%@ taglib prefix=c uri=http://java.sun.com/jsp/jstl/core%
%-- Calculate URLs relative to application context. --% c:url
var=contextUrl value=//
!DOCTYPE html PUBLIC -//W3C//DTD HTML 4.0 Transitional//EN
http://www.w3.org/TR/REC-html40/loose.dtd;
html
head
link rel=stylesheet href=${contextUrl}Style/General.css
type=text/css /head body
a href=${contextUrl}View/index.jsp
img src=${contextUrl}Image/menu_r1_c1.gif
width=80
height=80/
/a
/body
/html
Unless you specify an absolute address, both JSTL tags c:url and
c:redirect form addresses relative to the application context. These
come in handy in your login page.
Derek
-Original Message-
From: Andoni [mailto:[EMAIL PROTECTED]
Sent: November 19, 2003 5:14 AM
To: Tomcat Users List
Subject: j_security_check - Bookmarking the login page. A teaser!
Hello,
I have recently switched my site to using form-based logins.
I found as soon as I started testing that there is a fundamental problem
with this approach. When the user get sent via a click to a protected
page they get the login screen. The only problem arises when a user
bookmarks the login screen. If they bookmark the login screen then use
this bookmark to bring it up, when they enter their details Tomcat
doesn't know where to bring them next and hence gives them an error
message.
I can use Apache rewriting or aliasing if you think either of these will
help solve the problem.
Any suggestions? Surely this problem has been encountered by everyone
who has ever implemented form-based login, or do they just not?
Thanks,
Andoni
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Re: j_security_check - Bookmarking the login page. A teaser!
Hi,
I have implemented this and on first sight it seems to work perfectly. Can
you please just confirm my understanding of it though so I am sure I know
what I am doing:
1. The error page part need never really come in to play.
2. A user calls the login page and it basically is using the session's isNew
method to decide whether this is a session just newly created from a
bookmark or a session that was in existence before the login page was
displayed as would be the case with one that had been created in whichever
page had called index.jsp.
Thanks,
Andoni.
- Original Message -
From: Jon Wingfield [EMAIL PROTECTED]
To: Tomcat Users List [EMAIL PROTECTED]
Sent: Wednesday, November 19, 2003 2:54 PM
Subject: Re: j_security_check - Bookmarking the login page. A teaser!
The bookmarking of the login page is a well known issue. However,
without dumping CMS there seems to be little to do but resort to a few
hacks ;(
Our hack pt1:
Add to the top of the login page a redirect to a sensible entry point
for the app:
% if (request.getSession(false).isNew())
response.sendRedirect(/index.jsp); %
Our hack pt2:
Add an error page that catches the 'illegal direct reference to login
page' (or whatever it is). Use this error page to redirect to a sensible
entry point to the app.
eg:
% Object badUri =
request.getAttribute(javax.servlet.error.request_uri);
Object errorCode =
request.getAttribute(javax.servlet.error.status_code);
if (/j_security_check.equalsIgnoreCase(badUri.toString())
400.equals(errorCode.toString())) {
response.sendRedirect(/index.jsp);
return;
}
%
Pt 2 also catches things like a user sitting on the login page until the
session times out.
HTH,
Jon
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Re: j_security_check - Bookmarking the login page. A teaser!
On 11/19/2003 02:57 PM Christopher Schultz wrote: No, 'fraid not, your app never gets to see requests to j_security_check - it's handled by tomcat beforehand. Right, and the user never sees this URL. They're talking about intercepting the request for the login *page*, not the j_security_check request. Oh right. Sorry. Was suffering an attack of abject stupidity. Adam -- struts 1.1 + tomcat 5.0.12 + java 1.4.2 Linux 2.4.20 RH9 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: j_security_check - Bookmarking the login page. A teaser!
Yup. The error page only rarely comes into play (and is unrelated to the
bookmarking issue). I've just tried it again to make sure i wasn't going
mad:
If you try to access a restricted page you get punted to the login page.
If you then don't login until after the just created session times out
you get a 400 error on j_security_check. The error page catches this and
redirects back to the login page.
Not the nicest user experience but better (arguably) than an error page.
Jon
Andoni wrote:
Hi,
I have implemented this and on first sight it seems to work perfectly. Can
you please just confirm my understanding of it though so I am sure I know
what I am doing:
1. The error page part need never really come in to play.
2. A user calls the login page and it basically is using the session's isNew
method to decide whether this is a session just newly created from a
bookmark or a session that was in existence before the login page was
displayed as would be the case with one that had been created in whichever
page had called index.jsp.
Thanks,
Andoni.
- Original Message -
From: Jon Wingfield [EMAIL PROTECTED]
To: Tomcat Users List [EMAIL PROTECTED]
Sent: Wednesday, November 19, 2003 2:54 PM
Subject: Re: j_security_check - Bookmarking the login page. A teaser!
The bookmarking of the login page is a well known issue. However,
without dumping CMS there seems to be little to do but resort to a few
hacks ;(
Our hack pt1:
Add to the top of the login page a redirect to a sensible entry point
for the app:
% if (request.getSession(false).isNew())
response.sendRedirect(/index.jsp); %
Our hack pt2:
Add an error page that catches the 'illegal direct reference to login
page' (or whatever it is). Use this error page to redirect to a sensible
entry point to the app.
eg:
% Object badUri =
request.getAttribute(javax.servlet.error.request_uri);
Object errorCode =
request.getAttribute(javax.servlet.error.status_code);
if (/j_security_check.equalsIgnoreCase(badUri.toString())
400.equals(errorCode.toString())) {
response.sendRedirect(/index.jsp);
return;
}
%
Pt 2 also catches things like a user sitting on the login page until the
session times out.
HTH,
Jon
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Re: j_security_check
Andoni, I checked my login form and the only difference I observed was in the FORM tag: form method=POST action='%= response.encodeURL(j_security_check) %' name=loginForm Beyond this as a possible cause, we would need to check/review your context definitions relating to the REALM Tag, and your security constraints defined in web.xml. I am using a JDBCRealm, but in regards to the actual authentication I do not believe that there is any functional difference. Hope this helps. Mark Andoni wrote: Hello, I am trying to implement a JNDIRealm with form-based security. When I look at the output from my RequestDumperValve I see that the call to j_security_check is like: /jsp/j_security_check which is understandible as it is just on its own in the form tag thus: form method=post action=j_security_check name=loginform input type=hidden name=j_username input type=hidden name=j_password /form Is there something I should put before it which none of the documentation refers to? I am getting a 403 Access denied. Thanks in advance, Andoni. -- Mark S. Morrison mailto:[EMAIL PROTECTED] *Justice Information Systems* *Engineering Vice President* 35 Robinson Lane Newnan, Georgia, 30263 Office: 678-423-1835 Cell: 404-435-9301 Fax: 678-423-3938 International Police Association http://www.ipa-usa.org /Servo Per Amikeco/ Life Member Membership Number 21020 US Section Region 46 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: j_security_check
Andoni, I am trying to implement a JNDIRealm with form-based security. When I look at the output from my RequestDumperValve I see that the call to j_security_check is like: /jsp/j_security_check which is understandible as it is just on its own in the form tag thus: Do you have the security-constraint elements in your web.xml file and the login-form, etc. already? The container may complain if you do not have that stuff and try to use j_security_check. Your URL looks okay, btw. -chris - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: j_security_check gets a 404 error
On Thursday, September 4, 2003 at 6:36:38 AM, Bill Barker wrote: BB You need to add j_security_check to the URIs that get passed to Tomcat. I BB don't use Jk2 myself, but if your version is recent enough, I believe that BB you can even use: BB/*/j_security_check ajp13 Thanks. I have eventually got this sorted out. My problems were due to not really understanding how things worked, and not getting my local setup close enough to the setup on my host. The final solution: set the target of the login form to /servlet/j_security_check. Apache maps /servlet/* to Tomcat (at least it does now I've changed the setup, and it always did on my host). The request is then picked up by the SecurityFilter, which looks for j_security_check on the end of the request. Bingo! This solution has not involved changing the URLs that are passed to Tomcat, which was one of the aims. And hasn't involved anything fancy in the webapp either, which is another plus. BB If I'm wrong (and that doesn't work), simply put the full path to BB j_security_check. BB Louise Pryor [EMAIL PROTECTED] wrote in message BB news:[EMAIL PROTECTED] Hi I'm having a problem using form-based authentication. It all works fine with standalone Tomcat, but goes pear shaped on Apache with Tomcat. It seems to be the same problem that is described in http://www.mail-archive.com/[EMAIL PROTECTED]/msg43091.html (but I think it's more a Tomcat thing than a struts thing). Basically, I'm using the securityfilter filter from http://www.securityfilter.org/. I have a login.jsp that submits a form to j_security_check in the usual way. The only trouble is that Apache comes back with an Apache 404 on /path-to-login.jsp/j_security_check. It BB is clearly not passing j_security_check through to Tomcat to handle. The URL at the top of this message suggests passing all requests through to Tomcat (at least I think that's what it means - it uses mod_jk, and I'm using mod_jk2, which I'm not totally expert at anyway). First, that doesn't seem to work for me, and second, although I could configure things that way on my local setup it's not a realistic option for deployment, where I'm on a shared server. The support guy at my hosting service suggested making the target of the form /servlet/j_security_check, which at least gets it through to Tomcat --- which then gives me a 404. Obviously this is right, because I have no servlet mapping that would pick it up. So is there a way of defining a servlet mapping (or indeed any other element in web.xml) that would push things through to the right place? Alternatively is there any way of doing this programmatically? Could I send the form into a servlet which could then forward or redirect to j_security_check directly, without going through Apache? If so, how? Thanks for any help on this. -- Louise Pryor http://www.louisepryor.com BB - BB To unsubscribe, e-mail: [EMAIL PROTECTED] BB For additional commands, e-mail: [EMAIL PROTECTED] -- Louise Pryor http://www.louisepryor.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: j_security_check gets a 404 error
You need to add j_security_check to the URIs that get passed to Tomcat. I don't use Jk2 myself, but if your version is recent enough, I believe that you can even use: /*/j_security_check ajp13 If I'm wrong (and that doesn't work), simply put the full path to j_security_check. Louise Pryor [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] Hi I'm having a problem using form-based authentication. It all works fine with standalone Tomcat, but goes pear shaped on Apache with Tomcat. It seems to be the same problem that is described in http://www.mail-archive.com/[EMAIL PROTECTED]/msg43091.html (but I think it's more a Tomcat thing than a struts thing). Basically, I'm using the securityfilter filter from http://www.securityfilter.org/. I have a login.jsp that submits a form to j_security_check in the usual way. The only trouble is that Apache comes back with an Apache 404 on /path-to-login.jsp/j_security_check. It is clearly not passing j_security_check through to Tomcat to handle. The URL at the top of this message suggests passing all requests through to Tomcat (at least I think that's what it means - it uses mod_jk, and I'm using mod_jk2, which I'm not totally expert at anyway). First, that doesn't seem to work for me, and second, although I could configure things that way on my local setup it's not a realistic option for deployment, where I'm on a shared server. The support guy at my hosting service suggested making the target of the form /servlet/j_security_check, which at least gets it through to Tomcat --- which then gives me a 404. Obviously this is right, because I have no servlet mapping that would pick it up. So is there a way of defining a servlet mapping (or indeed any other element in web.xml) that would push things through to the right place? Alternatively is there any way of doing this programmatically? Could I send the form into a servlet which could then forward or redirect to j_security_check directly, without going through Apache? If so, how? Thanks for any help on this. -- Louise Pryor http://www.louisepryor.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: j_security_check problem
The problem is that your initial request is to the same page as your form-login-page. The initial request should be do a protected resource, then the user will be prompted for the login page, and then upon successful authentication - they will be routed to the initial request. I usually have an index.jsp that routes the user to a secured resource, and then I use the following in web.xml to ensure that they don't get the error below: error-page error-code400/error-code location/index.jsp/location /error-page The problem is that typically folks will see login.jsp as the first page in the app, and will bookmark it. I wish tomcat didn't display login.jsp, but rather the initial requested URL - then users wouldn't get the wrong bookmark. To get around this, I see two options: 1. Use index.jsp as a true welcome page, with a link to the secured resource. 2. Put a message on the login screen that says do not bookmark this page. I've opted for Number 2, and since all my users are IE, I have a link that adds a bookmark for them using Javascript. HTH, Matt -Original Message- From: Your Name [mailto:[EMAIL PROTECTED]] Sent: Thursday, January 30, 2003 7:32 AM To: [EMAIL PROTECTED] Subject: j_security_check problem We are running Tomcat 4.1... and are trying to get xreporter to run. We have installed everything and when we go to test the login it gives us this error (which is a http 400 error).. type: Status report message: Invalid direct reference to form login page description: The request sent by the client was syntactically incorrect (Invalid direct reference to form login page). I have looked around and people are suggesting that it is a tomcat config problem. The form submits to j_security_check. Has anyone ran into this problem and does anyone know how to fix the problem. Any help would be great. Thanks Ahead of time, Fred - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: j_security_check weirdness
Ok. Another Me Too. But does somebody have a solution ? What is happening here ? Regards, Gautam Satpathy -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Thursday, September 26, 2002 10:18 PM To: [EMAIL PROTECTED] Subject: RE: j_security_check weirdness I have. Bao-Ha Dam Bui [EMAIL PROTECTED] St. Jude Medical, Inc 651.765.1018 * This communication may contain information that is proprietary, privileged, confidential or legally exempt from disclosure. If you are not a named addressee, you are notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so may be unlawful. If you have received this communication in error, please notify the sender via return e-mail and delete it from your computer. Thank you. St. Jude Medical, Inc. * -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
RE: j_security_check weirdness
I have. Bao-Ha Dam Bui [EMAIL PROTECTED] St. Jude Medical, Inc 651.765.1018 * This communication may contain information that is proprietary, privileged, confidential or legally exempt from disclosure. If you are not a named addressee, you are notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so may be unlawful. If you have received this communication in error, please notify the sender via return e-mail and delete it from your computer. Thank you. St. Jude Medical, Inc. *
Re: j_security_check weirdness
Cool, was there a solution that you discovered? [EMAIL PROTECTED] wrote: I have. Bao-Ha Dam Bui [EMAIL PROTECTED] St. Jude Medical, Inc 651.765.1018 * This communication may contain information that is proprietary, privileged, confidential or legally exempt from disclosure. If you are not a named addressee, you are notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so may be unlawful. If you have received this communication in error, please notify the sender via return e-mail and delete it from your computer. Thank you. St. Jude Medical, Inc. * -- Vincent Stoessel Linux Systems Developer vincent xaymaca.com smime.p7s Description: S/MIME Cryptographic Signature
Re: j_security_check and logout
On Tue, 9 Jul 2002, Paul Phillips wrote: Date: Tue, 09 Jul 2002 10:40:13 -0500 From: Paul Phillips [EMAIL PROTECTED] Reply-To: Tomcat Users List [EMAIL PROTECTED] To: Tomcat Users List [EMAIL PROTECTED] Subject: j_security_check and logout Hello, all -- I have a small application consisting of servlets and jsp pages. I use form based authentication via j_security_check to login. I have a strange problem know how to solve. I have implemented a simple logout procedure whereby the logout servlet invalidates the session, and then transfers to a final thanks.jsp page that just says thanks... So far, so good. However, I wanted to try and do something about the back button issue, so, on the main.jsp page that calls the logout, I wrote this bit of javascript: a href=greeting?event=LOGOUT onclick=javascript:window.location.replace(this.href); event.returnValue=false; logout/a Ok, this seems to work fine. After logout, if the user is sitting on the thanks.jsp page, and presses the back button, it skips back to the initial login.jsp page (ignoring the main.jsp page that used to be in between. Good.. However! If I try and use the login.jsp page at that point, I get this error from tomcat: Apache Tomcat/4.0.3 - HTTP Status 400 - Invalid direct reference to form login page So, it seems at that point that the login page doesn't know where I want to go, and bombs. The place where I do want to go is greeting?event=WELCOME, but j_security_check has no way of knowing that, because it didn't come in throught the URL. Since we came back to login.jsp via the back button, it isn't there. Any ideas on how to solve this? You should never reference the URL of the login page directly. Instead, if you want to make them log back in, you should simply redirect them to some page within the protected area (perhaps the main menu). The usual login dialog will happen. Thanks Paul Phillips Craig -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: j_security_check and logout
As Craig wrote below: You should never reference the URL of the login page directly. Instead, if you want to make them log back in, you should simply redirect them to some page within the protected area (perhaps the main menu). The usual login dialog will happen. I am not referencing the URL of the login page directly. (At least I'm trying not to! :)) That is the problem. The direct reference is a byproduct of the user pressing the back button when the regular intervening pages have been erased from history using javascript. I still can't figure out a way around this... Any ideas are appreciated... Paul Phillips --On Tuesday, July 9, 2002 10:50 AM -0700 Craig R. McClanahan [EMAIL PROTECTED] wrote: On Tue, 9 Jul 2002, Paul Phillips wrote: Date: Tue, 09 Jul 2002 10:40:13 -0500 From: Paul Phillips [EMAIL PROTECTED] Reply-To: Tomcat Users List [EMAIL PROTECTED] To: Tomcat Users List [EMAIL PROTECTED] Subject: j_security_check and logout Hello, all -- I have a small application consisting of servlets and jsp pages. I use form based authentication via j_security_check to login. I have a strange problem know how to solve. I have implemented a simple logout procedure whereby the logout servlet invalidates the session, and then transfers to a final thanks.jsp page that just says thanks... So far, so good. However, I wanted to try and do something about the back button issue, so, on the main.jsp page that calls the logout, I wrote this bit of javascript: a href=greeting?event=LOGOUT onclick=javascript:window.location.replace(this.href); event.returnValue=false; logout/a Ok, this seems to work fine. After logout, if the user is sitting on the thanks.jsp page, and presses the back button, it skips back to the initial login.jsp page (ignoring the main.jsp page that used to be in between. Good.. However! If I try and use the login.jsp page at that point, I get this error from tomcat: Apache Tomcat/4.0.3 - HTTP Status 400 - Invalid direct reference to form login page So, it seems at that point that the login page doesn't know where I want to go, and bombs. The place where I do want to go is greeting?event=WELCOME, but j_security_check has no way of knowing that, because it didn't come in throught the URL. Since we came back to login.jsp via the back button, it isn't there. Any ideas on how to solve this? You should never reference the URL of the login page directly. Instead, if you want to make them log back in, you should simply redirect them to some page within the protected area (perhaps the main menu). The usual login dialog will happen. Thanks Paul Phillips Craig -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
RE: j_security_check question: RequestDispatcher .forward!! PLZ HELP!
I was wondering if anyone had an answer to this or should I e-mail the Developers group? I found this snippet on the web and tried what they suggested and it still doesn't work: [begin quote] One approach that will work in Tomcat 4.0 (because it was planned that way in the servlet 2.3 spec) is based on the following reasoning: * Security constraints are imposed only on the original request URI, not when doing RequestDispatcher.include or RequestDispatcher.forward * Therefore, we can prohibit direct access to servlets (or JSP pages) by protecting them with a security constraint that disallowed access. * In 2.3, if you define a security contraint that has an auth-constraint element with no nested role-name elements, the container interprets this to mean that absolutely no direct access to the protected URIs is allowed via requests -- they can only be accessed indirectly via a RequestDispatcher. * You can simulate this behavior in 2.2 by using a security constraint with a role-name to which no users have been assigned. Doing this forces all requests to come through your controller servlet, because none of the JSP pages would be directly accessible. [end quote] Kevin Kevin Andryc Web Systems Engineer MISER http://www.umass.edu/miser/ Phone: (413)-545-3460 [EMAIL PROTECTED] -Original Message- From: Kevin Andryc [mailto:[EMAIL PROTECTED]] Sent: Thursday, July 04, 2002 05:31 PM To: Tomcat Users List Subject: RE: j_security_check question: RequestDispatcher .forward!! PLZ HELP! I am currently using Tomcat 4.0.4. My problem is that when I use the RequestDispatcher and forward the request to the index.jsp page, it does not work. Instead I get the login page. If you look at ProtectedPage.java, you can see I forward the request to the index.jsp page. If it worked correctly, I would type in (http://localhost:8080/dev/servlet/ProtectedPage) and a login prompt would appear (login.jsp). Once I successfully logged in, I should then go to my servlet (ProtectedPage), which should show index.jsp. Instead, I get the login.jsp form when I successfully log in. When I changed the ProtectedPage.java code so that it doesn't use the RequestDispatcher and instead used a PrintWriter, it works fine. My question is, why can I not use the RequestDispatcher?? Thanks for your help :). Kevin Kevin Andryc Web Systems Engineer MISER http://www.umass.edu/miser/ Phone: (413)-545-3460 [EMAIL PROTECTED] -Original Message- From: Craig R. McClanahan [mailto:[EMAIL PROTECTED]] Sent: Thursday, July 04, 2002 05:25 PM To: Tomcat Users List Subject: Re: j_security_check question: RequestDispatcher .forward!! PLZ HELP! On Thu, 4 Jul 2002, Kevin Andryc wrote: Date: Thu, 04 Jul 2002 15:46:04 -0400 From: Kevin Andryc [EMAIL PROTECTED] Reply-To: Tomcat Users List [EMAIL PROTECTED] To: Tomcat Users List [EMAIL PROTECTED] Subject: j_security_check question: RequestDispatcher .forward!! PLZ HELP! OK, So I found that I can access my servlet if I don't use the RequestDispatcher .forward method. In other words, when I try and access my page (e.g.: http://localhost:8080/dev/servlet/ProtectedPage) I get a login JSP form that I specified. When I login successfully,the login page reappears when, in my ProtectedPage servlet, I use the RequestDispatcher .forward method instead of using a PrintWriter to send back the response. Why can I not use the RequestDispatcher, if I can, how??? If you are using Tomcat 3.x, you'll have a problem with your example code below, because you've got the form login page inside your protected area. That works fine in Tomcat 4, however. In Tomcat 3, move your login page to some directory that is *not* protected by a security constraint. What is not obvious from your question is what it is, exactly, that you are asking. You seem to claim that you cannot use a request dispatcher, but your code is doing exactly that. So what is the problem? Craig Below is some code. Web.xml security-constraint display-nameExample Security Constraint/display-name web-resource-collection web-resource-nameProtected Area/web-resource-name !-- Define the context-relative URL(s) to be protected -- url-pattern/servlet/*/url-pattern url-pattern/jsp/security/*/url-pattern !-- If you list http methods, only those methods are protected -- http-methodDELETE/http-method http-methodGET/http-method http-methodPOST/http-method http-methodPUT/http-method /web-resource-collection auth-constraint !-- Anyone with one of the listed roles may access this area -- role-nameuser/role-name role-nametomcat/role-name /auth-constraint /security-constraint !-- Default login configuration uses form-based authentication -- login-config auth-methodFORM/auth-method realm-nameExample Form-Based Authentication Area/realm-name form-login
RE: j_security_check question
OK, so here is where I am at. I have such that, when a user tries to access
a servlet (e.g.: http://localhost:8080/dev/servlet/ProtectedPage) they get
forwarded to a Login JSP page specified by my web.xml. Here is the problem,
when the user tries to login the Login form appears again, yet the URL is
shown as http://localhost:8080/dev/servlet/ProtectedPage. Why doesn't my
ProtectedPage servlet appear? I am really stuck. Below is my web.xml file:
security-constraint
display-nameExample Security Constraint/display-name
web-resource-collection
web-resource-nameProtected Area/web-resource-name
!-- Define the context-relative URL(s) to be protected --
url-pattern/servlet/*/url-pattern
url-pattern/jsp/security/*/url-pattern
!-- If you list http methods, only those methods are protected --
http-methodDELETE/http-method
http-methodGET/http-method
http-methodPOST/http-method
http-methodPUT/http-method
/web-resource-collection
auth-constraint
!-- Anyone with one of the listed roles may access this area --
role-nameuser/role-name
role-nametomcat/role-name
/auth-constraint
/security-constraint
!-- Default login configuration uses form-based authentication --
login-config
auth-methodFORM/auth-method
realm-nameExample Form-Based Authentication Area/realm-name
form-login-config
form-login-page/jsp/security/login.jsp/form-login-page
form-error-page/jsp/security/error.jsp/form-error-page
/form-login-config
/login-config
Kevin Andryc
Web Systems Engineer
MISER
http://www.umass.edu/miser/
Phone: (413)-545-3460
[EMAIL PROTECTED]
-Original Message-
From: John Gregg [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, July 02, 2002 04:48 PM
To: 'Tomcat Users List'
Subject: RE: j_security_check question
No can do-ski. The container needs to know where to send the user upon
successful authentication, but if your application presents a form to a user
that gets submitted to j_security_check, the Tomcat authentication stuff
won't know where to send the user when the operation completes. Your
web.xml and login.jsp look ok. You just don't want your application to
serve a page that goes to j_security_check directly. Instead, Tomcat
decides automagically when you need to login. It then inserts itself into
the application flow by remembering where the user was trying to go, sending
the login page that you specify, then redirecting (or forwarding?) the user
to that place upon successful login. Before using container-managed
security I was so used to creating AND SERVING my own login pages that it
took a while to wrap my brain around the fact that I no longer had to do
stuff like if (req.getSession(false)) == null) then send login page
Just code your servlet to do what you want and let Tomcat worry about
when/if to present the login page. The URL you'll access will be the
servlet or jsp that kicks off your business logic, not the login logic.
john
-Original Message-
From:
[EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED].
org]On Behalf Of Kevin Andryc
Sent: Tuesday, July 02, 2002 1:40 PM
To: Tomcat Users List; [EMAIL PROTECTED]
Subject: RE: j_security_check question
CustomLogin.class is a resource at a protected URL which also contains the
login form. So here is how it works (or how I would like it to work). I have
a CustomLogin class:
CustomLogin.class (located in /dev/WEB-INF/classes/)
public class CustomLogin extends HttpServlet {
public CustomLogin() {
super();
}
public void doGet(HttpServletRequest request, HttpServletResponse
response)
{
performTask(request, response);
}
public void doPost(HttpServletRequest request, HttpServletResponse
response) {
performTask(request, response);
}
public void performTask(HttpServletRequest request,
HttpServletResponse
response) {
try {
String jspPage = login.jsp;
RequestDispatcher rd =
getServletContext().getRequestDispatcher(/jsp/security/ + jspPage);
rd.forward(request, response);
}
catch(Exception e) {
e.printStackTrace();
}
}
}
login.jsp (located in /dev/jsp/security/)
html
head
titleLogin Page for Examples/title
body bgcolor=white
form method=POST action='%= response.encodeURL(j_security_check) %'
table border=0 cellspacing=5
tr
th align=rightUsername:/th
td align=leftinput type=text name=j_username/td
/tr
tr
th align=rightPassword:/th
td align=leftinput type=password name=j_password/td
/tr
tr
td align=rightinput type=submit value=Log In/td
td align=leftinput type=reset/td
/tr
/table
/form
/body
/html
web.xml
security
RE: j_security_check question: RequestDispatcher .forward!!
OK,
So I found that I can access my servlet if I don't use the
RequestDispatcher .forward method. In other words, when I try and access my
page (e.g.: http://localhost:8080/dev/servlet/ProtectedPage) I get a login
JSP form that I specified. When I login successfully,the login page
reappears when, in my ProtectedPage servlet, I use the RequestDispatcher
.forward method instead of using a PrintWriter to send back the response.
Why can I not use the RequestDispatcher, if I can, how???
Below is some code.
Web.xml
security-constraint
display-nameExample Security Constraint/display-name
web-resource-collection
web-resource-nameProtected Area/web-resource-name
!-- Define the context-relative URL(s) to be protected --
url-pattern/servlet/*/url-pattern
url-pattern/jsp/security/*/url-pattern
!-- If you list http methods, only those methods are protected --
http-methodDELETE/http-method
http-methodGET/http-method
http-methodPOST/http-method
http-methodPUT/http-method
/web-resource-collection
auth-constraint
!-- Anyone with one of the listed roles may access this area --
role-nameuser/role-name
role-nametomcat/role-name
/auth-constraint
/security-constraint
!-- Default login configuration uses form-based authentication --
login-config
auth-methodFORM/auth-method
realm-nameExample Form-Based Authentication Area/realm-name
form-login-config
form-login-page/jsp/security/login.jsp/form-login-page
form-error-page/jsp/security/error.jsp/form-error-page
/form-login-config
/login-config
ProtectedPage.java
public class ProtectedPage extends HttpServlet {
// Default constructor
public ProtectedPage() {
super();
}
public void doGet(HttpServletRequest request, HttpServletResponse response)
{
performTask(request, response);
}
public void doPost(HttpServletRequest request, HttpServletResponse
response) {
performTask(request, response);
}
public void performTask(HttpServletRequest request, HttpServletResponse
response) {
try {
String jspPage = index.jsp;
RequestDispatcher rd =
getServletContext().getRequestDispatcher(/jsp/security/ + jspPage);
rd.forward(request, response);
}
catch(Exception e) {
e.printStackTrace();
}
}
}
index.jsp
html
head
titleProtected Page for Examples/title
/head
body bgcolor=white
You are logged in as remote user b%= request.getRemoteUser() %/b
in session b%= session.getId() %/bbrbr
%
if (request.getUserPrincipal() != null) {
%
Your user principal name is
b%= request.getUserPrincipal().getName() %/bbrbr
%
} else {
%
No user principal could be identified.brbr
%
}
%
%
String role = request.getParameter(role);
if (role == null)
role = ;
if (role.length() 0) {
if (request.isUserInRole(role)) {
%
You have been granted role b%= role %/bbrbr
%
} else {
%
You have inot/i been granted role b%= role %/bbrbr
%
}
}
%
/body
/html
Kevin Andryc
Web Systems Engineer
MISER
http://www.umass.edu/miser/
Phone: (413)-545-3460
[EMAIL PROTECTED]
-Original Message-
From: John Gregg [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, July 02, 2002 04:48 PM
To: 'Tomcat Users List'
Subject: RE: j_security_check question
No can do-ski. The container needs to know where to send the user upon
successful authentication, but if your application presents a form to a user
that gets submitted to j_security_check, the Tomcat authentication stuff
won't know where to send the user when the operation completes. Your
web.xml and login.jsp look ok. You just don't want your application to
serve a page that goes to j_security_check directly. Instead, Tomcat
decides automagically when you need to login. It then inserts itself into
the application flow by remembering where the user was trying to go, sending
the login page that you specify, then redirecting (or forwarding?) the user
to that place upon successful login. Before using container-managed
security I was so used to creating AND SERVING my own login pages that it
took a while to wrap my brain around the fact that I no longer had to do
stuff like if (req.getSession(false)) == null) then send login page
Just code your servlet to do what you want and let Tomcat worry about
when/if to present the login page. The URL you'll access will be the
servlet or jsp that kicks off your business logic, not the login logic.
john
-Original Message-
From:
[EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED].
org]On Behalf Of Kevin Andryc
Sent: Tuesday, July 02, 2002 1:40 PM
To: Tomcat Users List; [EMAIL PROTECTED]
Subject: RE: j_security_check question
RE: j_security_check question
Hmmm. Your auth constraint protects the login.jsp itself. Try changing that so the login.jsp is not protected. Maybe you have a chicken and egg problem. john -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]. org]On Behalf Of Kevin Andryc Sent: Wednesday, July 03, 2002 11:56 AM To: Tomcat Users List; [EMAIL PROTECTED] Subject: RE: j_security_check question OK, so here is where I am at. I have such that, when a user tries to access a servlet (e.g.: http://localhost:8080/dev/servlet/ProtectedPage) they get forwarded to a Login JSP page specified by my web.xml. Here is the problem, when the user tries to login the Login form appears again, yet the URL is shown as http://localhost:8080/dev/servlet/ProtectedPage. Why doesn't my ProtectedPage servlet appear? I am really stuck. Below is my web.xml file: security-constraint display-nameExample Security Constraint/display-name web-resource-collection web-resource-nameProtected Area/web-resource-name !-- Define the context-relative URL(s) to be protected -- url-pattern/servlet/*/url-pattern url-pattern/jsp/security/*/url-pattern !-- If you list http methods, only those methods are protected -- http-methodDELETE/http-method http-methodGET/http-method http-methodPOST/http-method http-methodPUT/http-method /web-resource-collection auth-constraint !-- Anyone with one of the listed roles may access this area -- role-nameuser/role-name role-nametomcat/role-name /auth-constraint /security-constraint !-- Default login configuration uses form-based authentication -- login-config auth-methodFORM/auth-method realm-nameExample Form-Based Authentication Area/realm-name form-login-config form-login-page/jsp/security/login.jsp/form-login-page form-error-page/jsp/security/error.jsp/form-error-page /form-login-config /login-config Kevin Andryc Web Systems Engineer MISER http://www.umass.edu/miser/ Phone: (413)-545-3460 [EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
RE: j_security_check question
On Wed, 3 Jul 2002, John Gregg wrote: Date: Wed, 3 Jul 2002 12:59:57 -0500 From: John Gregg [EMAIL PROTECTED] Reply-To: Tomcat Users List [EMAIL PROTECTED], [EMAIL PROTECTED] To: 'Tomcat Users List' [EMAIL PROTECTED] Subject: RE: j_security_check question Hmmm. Your auth constraint protects the login.jsp itself. Try changing that so the login.jsp is not protected. Maybe you have a chicken and egg problem. IIRC, this is definitely an issue in Tomcat 3.3. Tomcat 4 has a bunch of special case checks so that the login page will be displayed anyway, even if it is in the protected area. Otherwise, you could never use a security constraint with a URL pattern like /* that protected the entire webapp. john Craig -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]. org]On Behalf Of Kevin Andryc Sent: Wednesday, July 03, 2002 11:56 AM To: Tomcat Users List; [EMAIL PROTECTED] Subject: RE: j_security_check question OK, so here is where I am at. I have such that, when a user tries to access a servlet (e.g.: http://localhost:8080/dev/servlet/ProtectedPage) they get forwarded to a Login JSP page specified by my web.xml. Here is the problem, when the user tries to login the Login form appears again, yet the URL is shown as http://localhost:8080/dev/servlet/ProtectedPage. Why doesn't my ProtectedPage servlet appear? I am really stuck. Below is my web.xml file: security-constraint display-nameExample Security Constraint/display-name web-resource-collection web-resource-nameProtected Area/web-resource-name !-- Define the context-relative URL(s) to be protected -- url-pattern/servlet/*/url-pattern url-pattern/jsp/security/*/url-pattern !-- If you list http methods, only those methods are protected -- http-methodDELETE/http-method http-methodGET/http-method http-methodPOST/http-method http-methodPUT/http-method /web-resource-collection auth-constraint !-- Anyone with one of the listed roles may access this area -- role-nameuser/role-name role-nametomcat/role-name /auth-constraint /security-constraint !-- Default login configuration uses form-based authentication -- login-config auth-methodFORM/auth-method realm-nameExample Form-Based Authentication Area/realm-name form-login-config form-login-page/jsp/security/login.jsp/form-login-page form-error-page/jsp/security/error.jsp/form-error-page /form-login-config /login-config Kevin Andryc Web Systems Engineer MISER http://www.umass.edu/miser/ Phone: (413)-545-3460 [EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
RE: j_security_check problem (two applications)
Just a comment to my previous posting. It looks like what I wanted was SingleSingOn feature inside Tomcat4.0 After I uncommented it in server.xml I am not getting the sing on form again when switching to another application. Jerzy -Original Message- From: Brzezicki, Jerzy [mailto:[EMAIL PROTECTED]] Sent: Tuesday, July 02, 2002 5:38 PM To: '[EMAIL PROTECTED]' Subject: j_security_check problem (two applications) Hi, I have two applications within the same Tomcat 4 container. I want to configure FORM type of authentication so user needs to login only once. I configured JDBCRealm that worked ok with BASIC type of authentication. What I mean by ok was that while switching from one application to another the login request was not displayed for second time. Now I created FORM type of authentication just as HOWTO says. However every time I switch from one application to another the user needs to login for second time. Do you know how to avoid this ? Thanks, Jerzy -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
RE: j_security_check question
Does it load the login form for you? -Original Message- From: Kevin Andryc [mailto:[EMAIL PROTECTED]] Sent: Tuesday, July 02, 2002 11:45 AM To: Tomcat Users List Subject: j_security_check question I am using a servlet as a login form that uses j_security_check. When submitted I would like it to return back to the same servlet with the person now authenticated except that it gives me the error: Type Status report message Invalid direct reference to form login page description The request sent by the client was syntactically incorrect (Invalid direct reference to form login page). Here is my web.xml file: security-constraint display-nameExample Security Constraint/display-name web-resource-collection web-resource-nameProtected Area/web-resource-name !-- Define the context-relative URL(s) to be protected -- url-pattern/servlet/*/url-pattern !-- If you list http methods, only those methods are protected -- http-methodDELETE/http-method http-methodGET/http-method http-methodPOST/http-method http-methodPUT/http-method /web-resource-collection auth-constraint !-- Anyone with one of the listed roles may access this area -- role-nameuser/role-name /auth-constraint /security-constraint !-- Default login configuration uses form-based authentication -- login-config auth-methodFORM/auth-method realm-nameExample Form-Based Authentication Area/realm-name form-login-config form-login-page/servlet/CustomLogin/form-login-page form-error-page/jsp/security/error.jsp/form-error-page /form-login-config /login-config I have searched through the archives and it appears no one responded. Anyone have a solution? Sincerely, Kevin Kevin Andryc Web Systems Engineer MISER http://www.umass.edu/miser/ Phone: (413)-545-3460 [EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
RE: j_security_check question
When I type in the URL: http://localhost:8080/dev/servlet/CustomLogin The form loads with the respective username and password fields. But when I submit the form to be authenticated, that is when the error appears. Sincerely, Kevin Kevin Andryc Web Systems Engineer MISER http://www.umass.edu/miser/ Phone: (413)-545-3460 [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Tuesday, July 02, 2002 12:58 PM To: [EMAIL PROTECTED] Subject: RE: j_security_check question Does it load the login form for you? -Original Message- From: Kevin Andryc [mailto:[EMAIL PROTECTED]] Sent: Tuesday, July 02, 2002 11:45 AM To: Tomcat Users List Subject: j_security_check question I am using a servlet as a login form that uses j_security_check. When submitted I would like it to return back to the same servlet with the person now authenticated except that it gives me the error: Type Status report message Invalid direct reference to form login page description The request sent by the client was syntactically incorrect (Invalid direct reference to form login page). Here is my web.xml file: security-constraint display-nameExample Security Constraint/display-name web-resource-collection web-resource-nameProtected Area/web-resource-name !-- Define the context-relative URL(s) to be protected -- url-pattern/servlet/*/url-pattern !-- If you list http methods, only those methods are protected -- http-methodDELETE/http-method http-methodGET/http-method http-methodPOST/http-method http-methodPUT/http-method /web-resource-collection auth-constraint !-- Anyone with one of the listed roles may access this area -- role-nameuser/role-name /auth-constraint /security-constraint !-- Default login configuration uses form-based authentication -- login-config auth-methodFORM/auth-method realm-nameExample Form-Based Authentication Area/realm-name form-login-config form-login-page/servlet/CustomLogin/form-login-page form-error-page/jsp/security/error.jsp/form-error-page /form-login-config /login-config I have searched through the archives and it appears no one responded. Anyone have a solution? Sincerely, Kevin Kevin Andryc Web Systems Engineer MISER http://www.umass.edu/miser/ Phone: (413)-545-3460 [EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
RE: j_security_check question
Is CustomLogin a resource at a protected URL, or is it a servlet that itself spits out a login page? You can't access j_security_check directly. Instead, you need to access a protected URL, the container sees that you're not logged-in and redirects you to the login form, you submit the login form, and finally the container sends you to the original resource you requested. john -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]. org]On Behalf Of Kevin Andryc Sent: Tuesday, July 02, 2002 12:09 PM To: Tomcat Users List Subject: RE: j_security_check question When I type in the URL: http://localhost:8080/dev/servlet/CustomLogin The form loads with the respective username and password fields. But when I submit the form to be authenticated, that is when the error appears. Sincerely, Kevin -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
RE: j_security_check question
CustomLogin.class is a resource at a protected URL which also contains the
login form. So here is how it works (or how I would like it to work). I have
a CustomLogin class:
CustomLogin.class (located in /dev/WEB-INF/classes/)
public class CustomLogin extends HttpServlet {
public CustomLogin() {
super();
}
public void doGet(HttpServletRequest request, HttpServletResponse response)
{
performTask(request, response);
}
public void doPost(HttpServletRequest request, HttpServletResponse
response) {
performTask(request, response);
}
public void performTask(HttpServletRequest request, HttpServletResponse
response) {
try {
String jspPage = login.jsp;
RequestDispatcher rd =
getServletContext().getRequestDispatcher(/jsp/security/ + jspPage);
rd.forward(request, response);
}
catch(Exception e) {
e.printStackTrace();
}
}
}
login.jsp (located in /dev/jsp/security/)
html
head
titleLogin Page for Examples/title
body bgcolor=white
form method=POST action='%= response.encodeURL(j_security_check) %'
table border=0 cellspacing=5
tr
th align=rightUsername:/th
td align=leftinput type=text name=j_username/td
/tr
tr
th align=rightPassword:/th
td align=leftinput type=password name=j_password/td
/tr
tr
td align=rightinput type=submit value=Log In/td
td align=leftinput type=reset/td
/tr
/table
/form
/body
/html
web.xml
security-constraint
display-nameExample Security Constraint/display-name
web-resource-collection
web-resource-nameProtected Area/web-resource-name
!-- Define the context-relative URL(s) to be protected --
url-pattern/servlet/*/url-pattern
!-- If you list http methods, only those methods are protected --
http-methodDELETE/http-method
http-methodGET/http-method
http-methodPOST/http-method
http-methodPUT/http-method
/web-resource-collection
auth-constraint
!-- Anyone with one of the listed roles may access this area --
role-nameuser/role-name
/auth-constraint
/security-constraint
!-- Default login configuration uses form-based authentication --
login-config
auth-methodFORM/auth-method
realm-nameExample Form-Based Authentication Area/realm-name
form-login-config
form-login-page/servlet/CustomLogin/form-login-page
form-error-page/jsp/security/error.jsp/form-error-page
/form-login-config
/login-config
The user will type in the URL:
http://localhost:8080/dev/servlet/CustomLogin. The login form does appear.
But once I enter the login information (username and password) the Invalid
direct reference to form login page appears. What I want it to have the
user type in http://localhost:8080/dev/servlet/CustomLogin and login. If
they are successful, then it should then direct them to the CustomLogin
servlet so I can get the user information and customize the page according
to who is logged in. I hope this makes sense. I just can't seem to get it to
work or how to make it work.
Thanks,
Kevin
Kevin Andryc
Web Systems Engineer
MISER
http://www.umass.edu/miser/
Phone: (413)-545-3460
[EMAIL PROTECTED]
-Original Message-
From: John Gregg [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, July 02, 2002 02:25 PM
To: 'Tomcat Users List'
Subject: RE: j_security_check question
Is CustomLogin a resource at a protected URL, or is it a servlet that itself
spits out a login page? You can't access j_security_check directly.
Instead, you need to access a protected URL, the container sees that you're
not logged-in and redirects you to the login form, you submit the login
form, and finally the container sends you to the original resource you
requested.
john
-Original Message-
From:
[EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED].
org]On Behalf Of Kevin Andryc
Sent: Tuesday, July 02, 2002 12:09 PM
To: Tomcat Users List
Subject: RE: j_security_check question
When I type in the URL:
http://localhost:8080/dev/servlet/CustomLogin
The form loads with the respective username and password fields. But
when I submit the form to be authenticated, that is when the error appears.
Sincerely,
Kevin
--
To unsubscribe, e-mail:
mailto:[EMAIL PROTECTED]
For additional commands, e-mail:
mailto:[EMAIL PROTECTED]
--
To unsubscribe, e-mail: mailto:[EMAIL PROTECTED]
For additional commands, e-mail: mailto:[EMAIL PROTECTED]
RE: j_security_check question
No can do-ski. The container needs to know where to send the user upon
successful authentication, but if your application presents a form to a user
that gets submitted to j_security_check, the Tomcat authentication stuff
won't know where to send the user when the operation completes. Your
web.xml and login.jsp look ok. You just don't want your application to
serve a page that goes to j_security_check directly. Instead, Tomcat
decides automagically when you need to login. It then inserts itself into
the application flow by remembering where the user was trying to go, sending
the login page that you specify, then redirecting (or forwarding?) the user
to that place upon successful login. Before using container-managed
security I was so used to creating AND SERVING my own login pages that it
took a while to wrap my brain around the fact that I no longer had to do
stuff like if (req.getSession(false)) == null) then send login page
Just code your servlet to do what you want and let Tomcat worry about
when/if to present the login page. The URL you'll access will be the
servlet or jsp that kicks off your business logic, not the login logic.
john
-Original Message-
From:
[EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED].
org]On Behalf Of Kevin Andryc
Sent: Tuesday, July 02, 2002 1:40 PM
To: Tomcat Users List; [EMAIL PROTECTED]
Subject: RE: j_security_check question
CustomLogin.class is a resource at a protected URL which also contains the
login form. So here is how it works (or how I would like it to work). I have
a CustomLogin class:
CustomLogin.class (located in /dev/WEB-INF/classes/)
public class CustomLogin extends HttpServlet {
public CustomLogin() {
super();
}
public void doGet(HttpServletRequest request, HttpServletResponse response)
{
performTask(request, response);
}
public void doPost(HttpServletRequest request, HttpServletResponse
response) {
performTask(request, response);
}
public void performTask(HttpServletRequest request, HttpServletResponse
response) {
try {
String jspPage = login.jsp;
RequestDispatcher rd =
getServletContext().getRequestDispatcher(/jsp/security/ + jspPage);
rd.forward(request, response);
}
catch(Exception e) {
e.printStackTrace();
}
}
}
login.jsp (located in /dev/jsp/security/)
html
head
titleLogin Page for Examples/title
body bgcolor=white
form method=POST action='%= response.encodeURL(j_security_check) %'
table border=0 cellspacing=5
tr
th align=rightUsername:/th
td align=leftinput type=text name=j_username/td
/tr
tr
th align=rightPassword:/th
td align=leftinput type=password name=j_password/td
/tr
tr
td align=rightinput type=submit value=Log In/td
td align=leftinput type=reset/td
/tr
/table
/form
/body
/html
web.xml
security-constraint
display-nameExample Security Constraint/display-name
web-resource-collection
web-resource-nameProtected Area/web-resource-name
!-- Define the context-relative URL(s) to be protected --
url-pattern/servlet/*/url-pattern
!-- If you list http methods, only those methods are protected --
http-methodDELETE/http-method
http-methodGET/http-method
http-methodPOST/http-method
http-methodPUT/http-method
/web-resource-collection
auth-constraint
!-- Anyone with one of the listed roles may access this area --
role-nameuser/role-name
/auth-constraint
/security-constraint
!-- Default login configuration uses form-based authentication --
login-config
auth-methodFORM/auth-method
realm-nameExample Form-Based Authentication Area/realm-name
form-login-config
form-login-page/servlet/CustomLogin/form-login-page
form-error-page/jsp/security/error.jsp/form-error-page
/form-login-config
/login-config
The user will type in the URL:
http://localhost:8080/dev/servlet/CustomLogin. The login form does appear.
But once I enter the login information (username and password) the Invalid
direct reference to form login page appears. What I want it to have the
user type in http://localhost:8080/dev/servlet/CustomLogin and login. If
they are successful, then it should then direct them to the CustomLogin
servlet so I can get the user information and customize the page according
to who is logged in. I hope this makes sense. I just can't seem to get it to
work or how to make it work.
Thanks,
Kevin
Kevin Andryc
Web Systems Engineer
MISER
http://www.umass.edu/miser/
Phone: (413)-545-3460
[EMAIL PROTECTED]
--
To unsubscribe, e-mail: mailto:[EMAIL PROTECTED]
For additional commands, e-mail: mailto:[EMAIL PROTECTED]
RE: j_security_check problem (two applications)
Do you have single-sign-on set up? -Original Message- From: Brzezicki, Jerzy [mailto:[EMAIL PROTECTED]] Sent: Tuesday, July 02, 2002 4:38 PM To: '[EMAIL PROTECTED]' Subject: j_security_check problem (two applications) Hi, I have two applications within the same Tomcat 4 container. I want to configure FORM type of authentication so user needs to login only once. I configured JDBCRealm that worked ok with BASIC type of authentication. What I mean by ok was that while switching from one application to another the login request was not displayed for second time. Now I created FORM type of authentication just as HOWTO says. However every time I switch from one application to another the user needs to login for second time. Do you know how to avoid this ? Thanks, Jerzy
RE: j_security_check problem (two applications)
Thanks for response. I have login.jsp defined in both applications. That is the login.jsp has the same content but there are two files: /usr/local/tomcat/webapps/first_app/login.jsp and /usr/local/tomcat/webapps/second_app/login.jsp In both deployment descriptors /usr/local/tomcat/webapps/first_app/WEB-INF/web.xml and /usr/local/tomcat/webapps/second_app/WEB-INF/web.xml I have identical entries: !-- Define the Login Configuration for this Application -- login-config auth-methodFORM/auth-method form-login-config form-login-page /login.jsp /form-login-page form-error-page /error.jsp /form-error-page /form-login-config /login-config I guess it may be part of the problem that there are actually two (although identical) files login.jsp. However when I tried to use just one: second_app: form-login-page ../first_app/login.jsp /form-login-page first_app: form-login-page /login.jsp /form-login-page I was getting 400 and 404 errors. Thanks for help. Jerzy -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Tuesday, July 02, 2002 6:03 PM To: [EMAIL PROTECTED] Subject: RE: j_security_check problem (two applications) Do you have single-sign-on set up? -Original Message- From: Brzezicki, Jerzy [mailto:[EMAIL PROTECTED]] Sent: Tuesday, July 02, 2002 4:38 PM To: '[EMAIL PROTECTED]' Subject: j_security_check problem (two applications) Hi, I have two applications within the same Tomcat 4 container. I want to configure FORM type of authentication so user needs to login only once. I configured JDBCRealm that worked ok with BASIC type of authentication. What I mean by ok was that while switching from one application to another the login request was not displayed for second time. Now I created FORM type of authentication just as HOWTO says. However every time I switch from one application to another the user needs to login for second time. Do you know how to avoid this ? Thanks, Jerzy -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: j_security_check in Jboss 3.0 with Tomcat
Thanks Hanks. I will try this out. --- Hanks Mei [EMAIL PROTECTED] wrote: Quoting Mukul Joshi [EMAIL PROTECTED]: Hi Has anyone used j_security_check in Jboss 3.0 with Tomcat. If yes, is the user authenticated with the custom login module in JBoss. Yes, JBoss plugs in his own realm into tomcat, so that the same security manager used in JBoss framework is used in the tomcat web container also. Also is the authenticated user then associated with the Session. Yes ofcourse, you can also get the principal object using the getUserPrincipal API. And is the authenticated user associated with the execution thread so that the method permissions work seamlessly on the EJB side and the user can also be identified in the EJB. If you are worried about the security(principal) being passed across, then: All the containers have a implicit rule of passing on the principal object when communication goes from one container to another. i.e. for example webcontainer to EJB container. So you will not have any problem. Is there any special setting to make j_security_check work thus. NOPE!!! no need. Many Thanks Mukul __ Do You Yahoo!? Yahoo! - Official partner of 2002 FIFA World Cup http://fifaworldcup.yahoo.com -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] - Sify Mail - now with Anti-virus protection powered by Trend Micro, USA. Know more at http://mail.sify.com Take the shortest route to success! Click here to know how http://education.sify.com -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] __ Do You Yahoo!? Yahoo! - Official partner of 2002 FIFA World Cup http://fifaworldcup.yahoo.com -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: j_security_check in Jboss 3.0 with Tomcat
Quoting Mukul Joshi [EMAIL PROTECTED]: Hi Has anyone used j_security_check in Jboss 3.0 with Tomcat. If yes, is the user authenticated with the custom login module in JBoss. Yes, JBoss plugs in his own realm into tomcat, so that the same security manager used in JBoss framework is used in the tomcat web container also. Also is the authenticated user then associated with the Session. Yes ofcourse, you can also get the principal object using the getUserPrincipal API. And is the authenticated user associated with the execution thread so that the method permissions work seamlessly on the EJB side and the user can also be identified in the EJB. If you are worried about the security(principal) being passed across, then: All the containers have a implicit rule of passing on the principal object when communication goes from one container to another. i.e. for example webcontainer to EJB container. So you will not have any problem. Is there any special setting to make j_security_check work thus. NOPE!!! no need. Many Thanks Mukul __ Do You Yahoo!? Yahoo! - Official partner of 2002 FIFA World Cup http://fifaworldcup.yahoo.com -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] - Sify Mail - now with Anti-virus protection powered by Trend Micro, USA. Know more at http://mail.sify.com Take the shortest route to success! Click here to know how http://education.sify.com -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
RE: j_security_check problem with 2nd login
Hi, If now some user comes back to the login screen and makes an additional login, j_security_check can get the destination address from the referring page. AFAIK, TOMCAT doesn't take destination page from referrer. TC takes it from session, where is stored first page that needed authentication which user tried to open not being authenticated. :) You can check it - look what attributes are stored in session after trying to open protected page, but before submitting login form. -Jan -Original Message- From: Mario Rodler [mailto:[EMAIL PROTECTED]] Sent: Wednesday, April 24, 2002 9:34 AM To: [EMAIL PROTECTED] Subject: j_security_check problem with 2nd login I'm working on a small Projekt which needs a form based login page. Using a j_security_check form works fine. I also have the problem, that a user must not come back to the login page for a second login. If she does - j_security_check will fail with a 404 error page. (I know why). Does anybody know a working solution? On my way to find a correct solution, I've read the Sun Servlet Spec ' SRV.12.5.3 Form Based Authentication', and now I think the tomcat way is probably not correct. Instead of redirecting the browser to a Login-Form, tomcat should include/forward the LoginForm. If now some user comes back to the login screen and makes an additional login, j_security_check can get the destination address from the referring page. Any other ideas ??? -- GMX - Die Kommunikationsplattform im Internet. http://www.gmx.net -- To unsubscribe: mailto:[EMAIL PROTECTED] For additional commands: mailto:[EMAIL PROTECTED] Troubles with the list: mailto:[EMAIL PROTECTED] --- Pochoz zprva neobsahuje viry. Zkontrolovno antivirovm systmem AVG (http://www.grisoft.cz). Verze: 6.0.351 / Virov bze: 197 - datum vydn: 19.4. 2002 --- Odchoz zprva neobsahuje viry. Zkontrolovno antivirovm systmem AVG (http://www.grisoft.cz). Verze: 6.0.351 / Virov bze: 197 - datum vydn: 19.4. 2002 -- To unsubscribe: mailto:[EMAIL PROTECTED] For additional commands: mailto:[EMAIL PROTECTED] Troubles with the list: mailto:[EMAIL PROTECTED]
Re: j_security_check
On Mon, 31 Dec 2001, Boudreau, Mike wrote: Date: Mon, 31 Dec 2001 10:34:14 -0500 From: Boudreau, Mike [EMAIL PROTECTED] Reply-To: Tomcat Users List [EMAIL PROTECTED] To: '[EMAIL PROTECTED]' [EMAIL PROTECTED] Subject: j_security_check I have a requirement to implement security via LDAP and RDBMS. I was planning on using Form Based Authentication utilizing the j_sucurity_check. I see that you can use a JDBC Realm, but can I implement an LDAP realm or some custom solution and take advantage of the web.xml security declarations? Tomcat 4 has a JNDIRealm implementation that can talk to LDAP servers. Does the JDBC realm use connection pooling? Not at the moment. It's on my list of things to fix, now that we have global JNDI resources (in the nightly builds). Is there a standard way to extend the j_security_check in a way that will work in other Servlet Containers (e.g. WebSphere, WebLogic)? The declaration of security constraints and form-based login that you do inside the web.xml file is portable across all servers. What is *not* portable is how each server looks up users and roles (i.e. the Realm concept in Tomcat) -- you will have to consult the documentation for each server individually to see how that is done. Thanks, Mike Craig McClanahan -- To unsubscribe: mailto:[EMAIL PROTECTED] For additional commands: mailto:[EMAIL PROTECTED] Troubles with the list: mailto:[EMAIL PROTECTED]
RE: j_security_check
You need to have your j_security_check URL from the root of the WEBAPP. For example, you need to post the form to /examples/j_security_check in the examples webapp. Your error message implies to me that the login form in in the login directory. You would want your form's action to be ../j_security_check in this case. Randy -Original Message- From: Wayne Hefner [mailto:[EMAIL PROTECTED]] Sent: Thursday, October 18, 2001 11:23 AM To: [EMAIL PROTECTED] Subject: j_security_check I am trying to set up a form based authorization, I have done everything similar to examples I have found. My login.jsp appears below: html body h1Login page for examples/h1 form method=POST action=j_security_check Username: input type=text name=j_usernamebr Password: input type=password name=j_passwordbr br input type=submit value=login name=j_security_check /form /body /html when I submit it doesn't appear that the engine knows about the j_security_check servlet since it attempts to go to http://mack-weh/login/j_security_check and displays a page not found error. Is there anything that needs to be done to activate this servlet. thanks, wayne
RE: j_security_check
Hi, I assume you are running a web server in front of tomcat in which case you need to tell your web server to delegate handling of j_security_check to tomcat. With apache you would add following to httpd.conf JkMount /login/j_security_check ajp13 (or ajp12 depending on connector protocol you are using) Hope this helps andrew On 18-Oct-2001 Wayne Hefner wrote: I am trying to set up a form based authorization, I have done everything similar to examples I have found. My login.jsp appears below: html body h1Login page for examples/h1 form method=POST action=j_security_check Username: input type=text name=j_usernamebr Password: input type=password name=j_passwordbr br input type=submit value=login name=j_security_check /form /body /html when I submit it doesn't appear that the engine knows about the j_security_check servlet since it attempts to go to http://mack-weh/login/j_security_check and displays a page not found error. Is there anything that needs to be done to activate this servlet. thanks, wayne
RE: j_security_check
On Thu, 18 Oct 2001, Randy Layman wrote: Date: Thu, 18 Oct 2001 11:21:41 -0400 From: Randy Layman [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: RE: j_security_check You need to have your j_security_check URL from the root of the WEBAPP. For example, you need to post the form to /examples/j_security_check in the examples webapp. Your error message implies to me that the login form in in the login directory. You would want your form's action to be ../j_security_check in this case. Actually, the servlet spec is very specific -- you are supposed to set the form action to j_security_check as a relative path. What this means to the server is that the URL will be relative to wherever the login page came from. Basically, the server has to match on /j_security_check at the end of the URL to tell whether this is the special case or not. Wayne, the most common cause for problems with form-based login is based on a misunderstanding of how it works. If you are manually navigating to the form login page, that's a miskate. Instead, you should just be navigating to any URL that is protected by your security constraint. Then, the server will save that request and show you the login page. AFter you are authenticated, the server restores the original request and completes it. To see how it is supposed to work, simply start up Tomcat and access http://localhost:8080/examples/jsp/security/protected/ which is protected by a security constraint. Tomcat will save away that request, authenticate you, and then (after the submit of the login page) will complete the original request. If you try to submit to j_security_check at any other time, there will not be an original request to restore to, which is why you get the error. If it still doesn't make sense, temporarily switch to the BASIC login method and try again. The user actions are identical -- the only difference is that the login window is a pop-up dialog box instead of an HTML page. Note that the user *never* references the pop-up dialog box directly -- it is just used when necessary. Form based login is designed to work exactly that way. Randy Craig -Original Message- From: Wayne Hefner [mailto:[EMAIL PROTECTED]] Sent: Thursday, October 18, 2001 11:23 AM To: [EMAIL PROTECTED] Subject: j_security_check I am trying to set up a form based authorization, I have done everything similar to examples I have found. My login.jsp appears below: html body h1Login page for examples/h1 form method=POST action=j_security_check Username: input type=text name=j_usernamebr Password: input type=password name=j_passwordbr br input type=submit value=login name=j_security_check /form /body /html when I submit it doesn't appear that the engine knows about the j_security_check servlet since it attempts to go to http://mack-weh/login/j_security_check and displays a page not found error. Is there anything that needs to be done to activate this servlet. thanks, wayne
Re: j_security_check
Try action="/VP/j_security_check" while assuming that the rest of the setup is correct. Pae I've read everything I can find on the list, and in the documentation and I still can't get "FORM" authentication to work. I'm using tomcat 3.2.2. I'm accessing Tomcat directly (via port 8080) - I've turned Apache off to make sure that itdoesn't get in the way. Tomcat correctly redirects to my login page, but then pressing submit gets the message "The page cannot be found" it's looking for a page called j_security_check. I have: form method="POST" action="j_security_check" Username: input type="text" name="j_username"br Password: input type="password" name="j_password"bretc in my login.jsp. I've put JkMount /VP/j_security_check * ajp13 in my mod_jk.conf (in $TOMCAT_HOME/conf/ - but I don't know whether Tomcat is reading it). Any ideas? Many thanks Mark Muffett
Re: j_security_check
Thanks, but it makes no difference. Is there any easy way to be sure that my mod_jk.conf is being used? Mark - Original Message - From: Pae Choi To: [EMAIL PROTECTED] Sent: Monday, June 11, 2001 1:11 PM Subject: Re: j_security_check Try action="/VP/j_security_check" while assuming that the rest of the setup is correct. Pae I've read everything I can find on the list, and in the documentation and I still can't get "FORM" authentication to work. I'm using tomcat 3.2.2. I'm accessing Tomcat directly (via port 8080) - I've turned Apache off to make sure that itdoesn't get in the way. Tomcat correctly redirects to my login page, but then pressing submit gets the message "The page cannot be found" it's looking for a page called j_security_check. I have: form method="POST" action="j_security_check" Username: input type="text" name="j_username"br Password: input type="password" name="j_password"bretc in my login.jsp. I've put JkMount /VP/j_security_check * ajp13 in my mod_jk.conf (in $TOMCAT_HOME/conf/ - but I don't know whether Tomcat is reading it). Any ideas? Many thanks Mark Muffett
Re: j_security_check
Hi Mark, I send you attached the parts of mod_jk.conf , web.xml which works for me; belonging to directory structure c:\tomcat\webapps\tute6\form\protected.jsp c:\tomcat\webapps\tute6\secure\login.jsp error.html c:\tomcat\webapps\tute6\WEB-INF\web.xml set Logger name=tc_log verbosityLevel = DEBUG path=logs/tomcat.log/ in your server.xml so you can see if there are any mod_jk errors while invoking tomcat. Hth Peter ÿþ#� �T�h�e� �f�o�l�l�o�w�i�n�g� �l�i�n�e� �m�a�k�e�s� �a�p�a�c�h�e� �a�w�a�r�e� �o�f� �t�h�e� �l�o�c�a�t�i�o�n� �o�f� �t�h�e� �/�t�u�t�e�6� �c�o�n�t�e�x�t� � �#� � �A�l�i�a�s� �/�t�u�t�e�6� ��C�:�/�t�c�/�w�e�b�a�p�p�s�/�t�u�t�e�6�� � ��D�i�r�e�c�t�o�r�y� ��C�:�/�t�c�/�w�e�b�a�p�p�s�/�t�u�t�e�6��� � � � � � �O�p�t�i�o�n�s� �I�n�d�e�x�e�s� �F�o�l�l�o�w�S�y�m�L�i�n�k�s� � ��/�D�i�r�e�c�t�o�r�y�� � � � �#� � �#� �T�h�e� �f�o�l�l�o�w�i�n�g� �l�i�n�e� �m�o�u�n�t�s� �a�l�l� �J�S�P� �f�i�l�e�s� �a�n�d� �t�h�e� �/�s�e�r�v�l�e�t�/� �u�r�i� �t�o� �t�o�m�c�a�t� � �#� � �J�k�M�o�u�n�t� �/�t�u�t�e�6�/�s�e�r�v�l�e�t�/�*� �a�j�p�1�3� � �J�k�M�o�u�n�t� �/�t�u�t�e�6�/�*�.�j�s�p� �a�j�p�1�3� � �J�K�M�o�u�n�t� �/�t�u�t�e�6�/�f�o�r�m�/�*�.�j�s�p� �a�j�p�1�3� � �J�K�M�o�u�n�t� �/�t�u�t�e�6�/�s�e�c�u�r�e�/�j�_�s�e�c�u�r�i�t�y�_�c�h�e�c�k� �a�j�p�1�3� � �#� � �#� �T�h�e� �f�o�l�l�o�w�i�n�g� �l�i�n�e� �p�r�o�h�i�b�i�t�s� �u�s�e�r�s� �f�r�o�m� �d�i�r�e�c�t�l�y� �a�c�c�e�s�s�i�n�g� �W�E�B�-�I�N�F� � �#� � ��L�o�c�a�t�i�o�n� ��/�t�u�t�e�6�/�W�E�B�-�I�N�F�/��� � � � � � �A�l�l�o�w�O�v�e�r�r�i�d�e� �N�o�n�e� � � � � � �d�e�n�y� �f�r�o�m� �a�l�l� � ��/�L�o�c�a�t�i�o�n�� � �#� � �#� �U�s�e� �D�i�r�e�c�t�o�r�y� �t�o�o�.� �O�n� �W�i�n�d�o�w�s�,� �L�o�c�a�t�i�o�n� �d�o�e�s�n�'�t� �w�o�r�k� �u�n�l�e�s�s� �c�a�s�e� �m�a�t�c�h�e�s� � �#� � ��D�i�r�e�c�t�o�r�y� ��C�:�/�t�c�/�w�e�b�a�p�p�s�/�t�u�t�e�6�/�W�E�B�-�I�N�F�/��� � � � � � �A�l�l�o�w�O�v�e�r�r�i�d�e� �N�o�n�e� � � � � � �d�e�n�y� �f�r�o�m� �a�l�l� � ��/�D�i�r�e�c�t�o�r�y�� � � � �#� � �#� �T�h�e� �f�o�l�l�o�w�i�n�g� �l�i�n�e� �p�r�o�h�i�b�i�t�s� �u�s�e�r�s� �f�r�o�m� �d�i�r�e�c�t�l�y� �a�c�c�e�s�s�i�n�g� �M�E�T�A�-�I�N�F� � �#� � ��L�o�c�a�t�i�o�n� ��/�t�u�t�e�6�/�M�E�T�A�-�I�N�F�/��� � � � � � �A�l�l�o�w�O�v�e�r�r�i�d�e� �N�o�n�e� � � � � � �d�e�n�y� �f�r�o�m� �a�l�l� � ��/�L�o�c�a�t�i�o�n�� � �#� � �#� �U�s�e� �D�i�r�e�c�t�o�r�y� �t�o�o�.� �O�n� �W�i�n�d�o�w�s�,� �L�o�c�a�t�i�o�n� �d�o�e�s�n�'�t� �w�o�r�k� �u�n�l�e�s�s� �c�a�s�e� �m�a�t�c�h�e�s� � �#� � ��D�i�r�e�c�t�o�r�y� ��C�:�/�t�c�/�w�e�b�a�p�p�s�/�t�u�t�e�6�/�M�E�T�A�-�I�N�F�/��� � � � � � �A�l�l�o�w�O�v�e�r�r�i�d�e� �N�o�n�e� � � � � � �d�e�n�y� �f�r�o�m� �a�l�l� � ��/�D�i�r�e�c�t�o�r�y�� � � � �#�#�#�#�#�#�#�#�#�#�#�#�#�#�#�#�#�#�#�#�#�#�#�#�#�#�#�#�#�#�#�#�#�#�#�#�#�#�#�#�#�#�#�#�#�#�#�#�#�#�#�#�#�#�#� � �#� �A�u�t�o� �c�o�n�f�i�g�u�r�a�t�i�o�n� �f�o�r� �t�h�e� �/�t�u�t�e�6� �c�o�n�t�e�x�t� �e�n�d�s�.� � �#�#�#�#�#�#�#�#�#�#�#�#�#�#�#�#�#�#�#�#�#�#�#�#�#�#�#�#�#�#�#�#�#�#�#�#�#�#�#�#�#�#�#�#�#�#�#�#�#�#�#�#�#�#�#� � � ?xml version=1.0 encoding=ISO-8859-1? !DOCTYPE web-app PUBLIC -//Sun Microsystems, Inc.//DTD Web Application 2.2//EN http://java.sun.com/j2ee/dtds/web-app_2_2.dtd; web-app security-role role-nametomcat/role-name /security-role servlet servlet-nameprotect/servlet-name jsp-file/form/protected.jsp/jsp-file !--load-on-startup0/load-on-startup-- security-role-ref role-nameTESTAPPROLE/role-name role-linktomcat/role-link /security-role-ref /servlet servlet-mapping servlet-nametute6/servlet-name url-pattern/tute6/servlet/*/url-pattern /servlet-mapping security-constraint web-resource-collection web-resource-nameMy Protected Area/web-resource-name url-pattern/form/*/url-pattern http-methodDELETE/http-method http-methodGET/http-method http-methodPOST/http-method http-methodPUT/http-method /web-resource-collection auth-constraint role-nametomcat/role-name /auth-constraint /security-constraint login-config auth-methodFORM/auth-method realm-nameForm Based Authentication/realm-name form-login-config form-login-page/secure/login.jsp/form-login-page form-error-page/secure/error.html/form-error-page /form-login-config /login-config /web-app
Re: j_security_check
Peter Can I check what version of Tomcat you're using? Mine still doesn't work. Thanks Mark - Original Message - From: P.Miller [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, June 11, 2001 1:58 PM Subject: Re: j_security_check Hi Mark, I send you attached the parts of mod_jk.conf , web.xml which works for me; belonging to directory structure c:\tomcat\webapps\tute6\form\protected.jsp c:\tomcat\webapps\tute6\secure\login.jsp error.html c:\tomcat\webapps\tute6\WEB-INF\web.xml set Logger name=tc_log verbosityLevel = DEBUG path=logs/tomcat.log/ in your server.xml so you can see if there are any mod_jk errors while invoking tomcat. Hth Peter ÿþ# The following line makes apache aware of the location of the /tute6 context # Alias /tute6 C:/tc/webapps/tute6 Directory C:/tc/webapps/tute6 Options Indexes FollowSymLinks /Directory # # The following line mounts all JSP files and the /servlet/ uri to tomcat # JkMount /tute6/servlet/* ajp13 JkMount /tute6/*.jsp ajp13 JKMount /tute6/form/*.jsp ajp13 JKMount /tute6/secure/j_security_check ajp13 # # The following line prohibits users from directly accessing WEB-INF # Location /tute6/WEB-INF/ AllowOverride None deny from all /Location # # Use Directory too. On Windows, Location doesn't work unless case matches # Directory C:/tc/webapps/tute6/WEB-INF/ AllowOverride None deny from all /Directory # # The following line prohibits users from directly accessing META-INF # Location /tute6/META-INF/ AllowOverride None deny from all /Location # # Use Directory too. On Windows, Location doesn't work unless case matches # Directory C:/tc/webapps/tute6/META-INF/ AllowOverride None deny from all /Directory ### # Auto configuration for the /tute6 context ends. ### ?xml version=1.0 encoding=ISO-8859-1? !DOCTYPE web-app PUBLIC -//Sun Microsystems, Inc.//DTD Web Application 2.2//EN http://java.sun.com/j2ee/dtds/web-app_2_2.dtd; web-app security-role role-nametomcat/role-name /security-role servlet servlet-nameprotect/servlet-name jsp-file/form/protected.jsp/jsp-file !--load-on-startup0/load-on-startup-- security-role-ref role-nameTESTAPPROLE/role-name role-linktomcat/role-link /security-role-ref /servlet servlet-mapping servlet-nametute6/servlet-name url-pattern/tute6/servlet/*/url-pattern /servlet-mapping security-constraint web-resource-collection web-resource-nameMy Protected Area/web-resource-name url-pattern/form/*/url-pattern http-methodDELETE/http-method http-methodGET/http-method http-methodPOST/http-method http-methodPUT/http-method /web-resource-collection auth-constraint role-nametomcat/role-name /auth-constraint /security-constraint login-config auth-methodFORM/auth-method realm-nameForm Based Authentication/realm-name form-login-config form-login-page/secure/login.jsp/form-login-page form-error-page/secure/error.html/form-error-page /form-login-config /login-config /web-app
Re: j_security_check
Mark I'm working with Apache 1.3.19 and TTomcat 3.2.1 My configuration requires Apache Tomcat (Tomcat standalone doesn'T neewd mod_jk at all!) regards Peter Mark Muffett wrote: Peter Can I check what version of Tomcat you're using? Mine still doesn't work. Thanks Mark - Original Message - From: P.Miller [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, June 11, 2001 1:58 PM Subject: Re: j_security_check Hi Mark, I send you attached the parts of mod_jk.conf , web.xml which works for me; belonging to directory structure c:\tomcat\webapps\tute6\form\protected.jsp c:\tomcat\webapps\tute6\secure\login.jsp error.html c:\tomcat\webapps\tute6\WEB-INF\web.xml set Logger name=tc_log verbosityLevel = DEBUG path=logs/tomcat.log/ in your server.xml so you can see if there are any mod_jk errors while invoking tomcat. Hth Peter ÿþ# The following line makes apache aware of the location of the /tute6 context # Alias /tute6 C:/tc/webapps/tute6 Directory C:/tc/webapps/tute6 Options Indexes FollowSymLinks /Directory # # The following line mounts all JSP files and the /servlet/ uri to tomcat # JkMount /tute6/servlet/* ajp13 JkMount /tute6/*.jsp ajp13 JKMount /tute6/form/*.jsp ajp13 JKMount /tute6/secure/j_security_check ajp13 # # The following line prohibits users from directly accessing WEB-INF # Location /tute6/WEB-INF/ AllowOverride None deny from all /Location # # Use Directory too. On Windows, Location doesn't work unless case matches # Directory C:/tc/webapps/tute6/WEB-INF/ AllowOverride None deny from all /Directory # # The following line prohibits users from directly accessing META-INF # Location /tute6/META-INF/ AllowOverride None deny from all /Location # # Use Directory too. On Windows, Location doesn't work unless case matches # Directory C:/tc/webapps/tute6/META-INF/ AllowOverride None deny from all /Directory ### # Auto configuration for the /tute6 context ends. ### ?xml version=1.0 encoding=ISO-8859-1? !DOCTYPE web-app PUBLIC -//Sun Microsystems, Inc.//DTD Web Application 2.2//EN http://java.sun.com/j2ee/dtds/web-app_2_2.dtd; web-app security-role role-nametomcat/role-name /security-role servlet servlet-nameprotect/servlet-name jsp-file/form/protected.jsp/jsp-file !--load-on-startup0/load-on-startup-- security-role-ref role-nameTESTAPPROLE/role-name role-linktomcat/role-link /security-role-ref /servlet servlet-mapping servlet-nametute6/servlet-name url-pattern/tute6/servlet/*/url-pattern /servlet-mapping security-constraint web-resource-collection web-resource-nameMy Protected Area/web-resource-name url-pattern/form/*/url-pattern http-methodDELETE/http-method http-methodGET/http-method http-methodPOST/http-method http-methodPUT/http-method /web-resource-collection auth-constraint role-nametomcat/role-name /auth-constraint /security-constraint login-config auth-methodFORM/auth-method realm-nameForm Based Authentication/realm-name form-login-config form-login-page/secure/login.jsp/form-login-page form-error-page/secure/error.html/form-error-page /form-login-config /login-config /web-app
Re: j_security_check
Mark, The mod_jk stuff doesn't matter if you are talking to tomcat directly. Have you checked out the security example that comes with tomcat 3.2.2? Does that work? (You might need to modify your server.xml file) -Mike Jennings - Original Message - From: Mark Muffett [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, June 11, 2001 8:04 AM Subject: Re: j_security_check Peter Can I check what version of Tomcat you're using? Mine still doesn't work. Thanks Mark - Original Message - From: P.Miller [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, June 11, 2001 1:58 PM Subject: Re: j_security_check Hi Mark, I send you attached the parts of mod_jk.conf , web.xml which works for me; belonging to directory structure c:\tomcat\webapps\tute6\form\protected.jsp c:\tomcat\webapps\tute6\secure\login.jsp error.html c:\tomcat\webapps\tute6\WEB-INF\web.xml set Logger name=tc_log verbosityLevel = DEBUG path=logs/tomcat.log/ in your server.xml so you can see if there are any mod_jk errors while invoking tomcat. Hth Peter -- -- ÿþ# The following line makes apache aware of the location of the /tute6 context # Alias /tute6 C:/tc/webapps/tute6 Directory C:/tc/webapps/tute6 Options Indexes FollowSymLinks /Directory # # The following line mounts all JSP files and the /servlet/ uri to tomcat # JkMount /tute6/servlet/* ajp13 JkMount /tute6/*.jsp ajp13 JKMount /tute6/form/*.jsp ajp13 JKMount /tute6/secure/j_security_check ajp13 # # The following line prohibits users from directly accessing WEB-INF # Location /tute6/WEB-INF/ AllowOverride None deny from all /Location # # Use Directory too. On Windows, Location doesn't work unless case matches # Directory C:/tc/webapps/tute6/WEB-INF/ AllowOverride None deny from all /Directory # # The following line prohibits users from directly accessing META-INF # Location /tute6/META-INF/ AllowOverride None deny from all /Location # # Use Directory too. On Windows, Location doesn't work unless case matches # Directory C:/tc/webapps/tute6/META-INF/ AllowOverride None deny from all /Directory ### # Auto configuration for the /tute6 context ends. ### -- -- ?xml version=1.0 encoding=ISO-8859-1? !DOCTYPE web-app PUBLIC -//Sun Microsystems, Inc.//DTD Web Application 2.2//EN http://java.sun.com/j2ee/dtds/web-app_2_2.dtd; web-app security-role role-nametomcat/role-name /security-role servlet servlet-nameprotect/servlet-name jsp-file/form/protected.jsp/jsp-file !--load-on-startup0/load-on-startup-- security-role-ref role-nameTESTAPPROLE/role-name role-linktomcat/role-link /security-role-ref /servlet servlet-mapping servlet-nametute6/servlet-name url-pattern/tute6/servlet/*/url-pattern /servlet-mapping security-constraint web-resource-collection web-resource-nameMy Protected Area/web-resource-name url-pattern/form/*/url-pattern http-methodDELETE/http-method http-methodGET/http-method http-methodPOST/http-method http-methodPUT/http-method /web-resource-collection auth-constraint role-nametomcat/role-name /auth-constraint /security-constraint login-config auth-methodFORM/auth-method realm-nameForm Based Authentication/realm-name form-login-config form-login-page/secure/login.jsp/form-login-page form-error-page/secure/error.html/form-error-page /form-login-config /login-config /web-app
Re: j_security_check
Confirming! j_security_check works in the combination of Apache1.3.19 + Tomcat 3.2.1. Pae Peter Mark I'm working with Apache 1.3.19 and TTomcat 3.2.1 My configuration requires Apache Tomcat (Tomcat standalone doesn'T neewd mod_jk at all!) regards Peter /Peter Mark Muffett wrote: Peter Can I check what version of Tomcat you're using? Mine still doesn't work. Thanks Mark - Original Message - From: P.Miller [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, June 11, 2001 1:58 PM Subject: Re: j_security_check Hi Mark, I send you attached the parts of mod_jk.conf , web.xml which works for me; belonging to directory structure c:\tomcat\webapps\tute6\form\protected.jsp c:\tomcat\webapps\tute6\secure\login.jsp error.html c:\tomcat\webapps\tute6\WEB-INF\web.xml set Logger name=tc_log verbosityLevel = DEBUG path=logs/tomcat.log/ in your server.xml so you can see if there are any mod_jk errors while invoking tomcat. Hth Peter ÿþ# The following line makes apache aware of the location of the /tute6 context # Alias /tute6 C:/tc/webapps/tute6 Directory C:/tc/webapps/tute6 Options Indexes FollowSymLinks /Directory # # The following line mounts all JSP files and the /servlet/ uri to tomcat # JkMount /tute6/servlet/* ajp13 JkMount /tute6/*.jsp ajp13 JKMount /tute6/form/*.jsp ajp13 JKMount /tute6/secure/j_security_check ajp13 # # The following line prohibits users from directly accessing WEB-INF # Location /tute6/WEB-INF/ AllowOverride None deny from all /Location # # Use Directory too. On Windows, Location doesn't work unless case matches # Directory C:/tc/webapps/tute6/WEB-INF/ AllowOverride None deny from all /Directory # # The following line prohibits users from directly accessing META-INF # Location /tute6/META-INF/ AllowOverride None deny from all /Location # # Use Directory too. On Windows, Location doesn't work unless case matches # Directory C:/tc/webapps/tute6/META-INF/ AllowOverride None deny from all /Directory ### # Auto configuration for the /tute6 context ends. ### ?xml version=1.0 encoding=ISO-8859-1? !DOCTYPE web-app PUBLIC -//Sun Microsystems, Inc.//DTD Web Application 2.2//EN http://java.sun.com/j2ee/dtds/web-app_2_2.dtd; web-app security-role role-nametomcat/role-name /security-role servlet servlet-nameprotect/servlet-name jsp-file/form/protected.jsp/jsp-file !--load-on-startup0/load-on-startup-- security-role-ref role-nameTESTAPPROLE/role-name role-linktomcat/role-link /security-role-ref /servlet servlet-mapping servlet-nametute6/servlet-name url-pattern/tute6/servlet/*/url-pattern /servlet-mapping security-constraint web-resource-collection web-resource-nameMy Protected Area/web-resource-name url-pattern/form/*/url-pattern http-methodDELETE/http-method http-methodGET/http-method http-methodPOST/http-method http-methodPUT/http-method /web-resource-collection auth-constraint role-nametomcat/role-name /auth-constraint /security-constraint login-config auth-methodFORM/auth-method realm-nameForm Based Authentication/realm-name form-login-config form-login-page/secure/login.jsp/form-login-page form-error-page/secure/error.html/form-error-page /form-login-config /login-config /web-app
Re: j_security_check
Thanks Amit, I tried it but get the same result. I'm wondering about another thing: When I access the protected page which is redirected to the login.jsp because of the settings in the web.xml I see in my Tomcat console the following messages: ContextManager: JDBCRealm: JDBCRealm.authenticate: SELECT user_pass FROM users WHERE user_name= ? ContextManager: JDBCRealm: Authentication unsuccessful for user null Why starts the authentification process before submitting the login.jsp page? Please help Peter [EMAIL PROTECTED] wrote: include folllowing in ur mod_jk.conf (if using tomcat standalone) : JkMount /name of context/j_security_check * ajp13 or in httpd.conf if with apache. -Amit. - Original Message - From: P.Miller [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, June 05, 2001 1:13 PM Subject: AUTH: j_security_check Hi, I tried the FORM-authentification in Tomcat 3.2.1: login.jsp: form method=POST action=j_security_check Username: input type=text name=j_usernamebr Password: input type=password name=j_passwordbr br input type=submit value=login name=j_security_check /form I get the correct Form but when I press 'submit', I allways get the error: URL j_security_check not found So I searched for a java-class or a method inside a class which is called 'j_security_check' but found only a CONSTANT with this name and not method or class-file. What's the meaning of this URL and where should I declare it that TOMCAT can find it? Many thanks for your help, Peter
Re: j_security_check
include folllowing in ur mod_jk.conf (if using tomcat standalone) : JkMount /name of context/j_security_check * ajp13 or in httpd.conf if with apache. -Amit. - Original Message - From: P.Miller [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, June 05, 2001 1:13 PM Subject: AUTH: j_security_check Hi, I tried the FORM-authentification in Tomcat 3.2.1: login.jsp: form method=POST action=j_security_check Username: input type=text name=j_usernamebr Password: input type=password name=j_passwordbr br input type=submit value=login name=j_security_check /form I get the correct Form but when I press 'submit', I allways get the error: URL j_security_check not found So I searched for a java-class or a method inside a class which is called 'j_security_check' but found only a CONSTANT with this name and not method or class-file. What's the meaning of this URL and where should I declare it that TOMCAT can find it? Many thanks for your help, Peter
RE: j_security_check (Re-post)
this is a bug, and is slated to be fixed. don't know when. Basically, after FORM login, a redirect needs to occur, but Tomcat is doing an internal forward. Tim Julien HP Middleware -Original Message- From: Simon Ozturk [mailto:[EMAIL PROTECTED]] Sent: Monday, May 14, 2001 4:16 AM To: '[EMAIL PROTECTED]' Subject: j_security_check (Re-post) Having received no response, I am re-posting my earlier message below. Could this be down to a configuration problem? Simon. -- From: Simon Ozturk[SMTP:[EMAIL PROTECTED]] Reply To: [EMAIL PROTECTED] Sent: 04 May 2001 10:05 To: '[EMAIL PROTECTED]' Subject: j_security_check Hi guys, Using Tomcat 4.b1 and Tomcat 4.b3 I get the following strange behaviour which does not happen in Tomcat 3.2 : 1- User requests a bookmarked page which is protected : http://localhost/control/member/you/AddressBook 2- Login page is displayed, and user logs in (using FORM based authentication) 3- The requested page is displayed and the browsers address line shows http://localhost/j_security_check 4- Subsequently, relative links on the page become http://localhost/j_security_check/xyz instead of http://localhost/control/member/you/AddressBook/xyz Additionally, after logging in on the home page without using any bookmarks, I get the same behaviour with the address line http://localhost/j_security_check instead of http://localhost/index.jsp which is the welcome page. Can anyone help please? Many thanks in advance, Simon
Re: j_security_check
i am using VPN. it works on normal network connection. is that matter? --- eric leung [EMAIL PROTECTED] wrote: Hi, i had set up Form authentication in tomcat. I used apache 1.3.17 + tomcat 3.2.1. And i added this line --- JkMount /update/j_security_check Ajp12 --- to mod_jk.conf, which will forward all the login form request to Ajp12 worker. It works before. but now. all of a sudden, apache return error message saying: 404 Not Found The requested URL /update/null was not found on this server. That's very strange that j_security_check had changed to null. my form is like this: html head /head body form method="POST" action="j_security_check" Usernameinput type="text" name="j_username" Password:input type="password" name="j_password" input type="submit" value="login" name="j_security_check" /form /body /html Please help me out thanks. __ Do You Yahoo!? Get email at your own domain with Yahoo! Mail. http://personal.mail.yahoo.com/ __ Do You Yahoo!? Get email at your own domain with Yahoo! Mail. http://personal.mail.yahoo.com/
Re: j_security_check
I just looked at web.xml inside the example directory. there is a block defined like this, but i am not sure if you are ask this. security-constraint web-resource-collection web-resource-nameProtected Area/web-resource-name url-pattern/jsp/security/protected/*/url-pattern http-methodDELETE/http-method http-methodGET/http-method http-methodPOST/http-method http-methodPUT/http-method /web-resource-collection auth-constraint role-nametomcat/role-name role-namerole1/role-name /auth-constraint /security-constraint login-config auth-methodFORM/auth-method realm-nameExample Form-Based Authentication Area/realm-name form-login-config form-login-page/jsp/security/login/login.jsp/form-login-page form-error-page/jsp/security/login/error.jsp/form-error-page /form-login-config /login-config --- Ian Kallen [EMAIL PROTECTED] wrote: I haven't seen any real useful answers in the archive about the form based auth jsp security example 404'ing on /examples/jsp/security/login/j_security_check Does something need to be in server.xml to enable this? I'm including mod_jk-auto that tomcat generates in my httpd.conf and other examples seem to be fine but this example is missing any explanation of its usage. Any pointer to how this is supposed to be configured would be appreciated! The setup is: Apache 1.3.19 Tomcat 3.2.1 JDK 1.2.2 FreeBSD 4.2 thanks, -Ian -- Ian Kallen [EMAIL PROTECTED] | AIM: iankallen | efax: (415) 354-3326 __ Do You Yahoo!? Get email at your own domain with Yahoo! Mail. http://personal.mail.yahoo.com/
Re: j_security_check
Add into httpd.conf JkMount /examples/jsp/security/login/j_security_check ajp13 - Original Message - From: "Ian Kallen" [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Sunday, March 25, 2001 11:20 AM Subject: j_security_check I haven't seen any real useful answers in the archive about the form based auth jsp security example 404'ing on /examples/jsp/security/login/j_security_check Does something need to be in server.xml to enable this? I'm including mod_jk-auto that tomcat generates in my httpd.conf and other examples seem to be fine but this example is missing any explanation of its usage. Any pointer to how this is supposed to be configured would be appreciated! The setup is: Apache 1.3.19 Tomcat 3.2.1 JDK 1.2.2 FreeBSD 4.2 thanks, -Ian -- Ian Kallen [EMAIL PROTECTED] | AIM: iankallen | efax: (415) 354-3326
Re: j_security_check form authentication controlled in WAR context?
On Thu, 15 Mar 2001, Richard Yumul wrote: Is there a way to define the authenticating class within the WAR context? I like the way SimpleRealm JDBCRealm work, automatically protecting every resource matching a regex. However if I need a custom realm, I'd really prefer to have it be deployable in the war (would work across servlet containers) not have to customize tomcat. If not, how are other people getting around this, other than putting a custom tag (or something) on every jsp page? There is no portable API in the servlet spec defining how a container should talk to the authentication realm. This was considered in the process leading up to the 2.3 (proposed final draft) spec, but we didn't have time to settle on a standardized interface :-(. Thus, you are stuck having to conform to the APIs that each container provides for this purpose (for example, in Tomcat you would build your own Realm implementation). However, your apps themselves would all be portable. TIA, Rich Craig McClanahan
Re: j_security_check question
Most likely you are missing a JkMount statement. You need to tell your web server that /j_security_check exists. JkMount /j_security_check ajp12 Carlos Alonso wrote: Working with apache and tomcat found a problem with j_security_check using jdbcrealm. As j_security_check is an URI handled by tomcat and no (separate) class exists, apache complains with no found error (seeking for j_security_check) trying to check us/pswd. Is there any way to use form-based security working with apache+tomcat? Thanks in advance Carlos - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, email: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, email: [EMAIL PROTECTED]
Re: j_security_check mapping
I ran in to the same problem. The solution is to modify the mod_jk.conf-auto file (and save w/ a different name) as follows: # # The following line mounts all JSP files and the /servlet/ uri to tomcat # JkMount /iristafulfill/servlet/* ajp12 JkMount /iristafulfill/*.jsp ajp12 JkMount /iristafulfill/*.do ajp12 JkMount /iristafulfill/pages/security/j_security_check ajp12 Both of the last two lines were added manually. The first, 'cause we're using struts and the second for the login page HTH, Mike At 11/30/2000 09:09 AM -0800, you wrote: hello, with 3.2 final I ran into the same problem as the message below. Is there a solution, so the 8080 is not necessary, now? Thanks, Juergen http://mikal.org/interests/java/tomcat_users/msg09581.html I am using Tomcat 3.2b6 with mod_jk. When accessing http://localhost:8080/examples/jsp/security/protected/index.jsp The login.jsp page works (posts) fine. However, when accessing through Apache, http://localhost/examples/jsp/security/protected/index.jsp, the login.jsp comes up but j_security_check is not found when I post. Has anyone else had this problem? Can I manually do the mapping from within web.xml? Thanks, Charlie __ Do You Yahoo!? Yahoo! Shopping - Thousands of Stores. Millions of Products. http://shopping.yahoo.com/ /* - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - */ Michael H. La Budde email: [EMAIL PROTECTED] Prosoft, Inc. phone: 414-860-6509 [EMAIL PROTECTED] fax: 414-860-7014 /* - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - */
Re: j_security_check mapping
Mike, I'm confused as to what you mean here? First of all, what is that iristafulfill context? Is that you own? I also looked for a class file called j_security_check.class and I didn't find it anywhere in the sample context or any other context that comes with 3.2 final. Can you or someone else be a bit more explicit as to how to get this to work through Apache on port 80. Jake At 12:46 PM 11/30/2000 -0600, you wrote: I ran in to the same problem. The solution is to modify the mod_jk.conf-auto file (and save w/ a different name) as follows: # # The following line mounts all JSP files and the /servlet/ uri to tomcat # JkMount /iristafulfill/servlet/* ajp12 JkMount /iristafulfill/*.jsp ajp12 JkMount /iristafulfill/*.do ajp12 JkMount /iristafulfill/pages/security/j_security_check ajp12 Both of the last two lines were added manually. The first, 'cause we're using struts and the second for the login page HTH, Mike At 11/30/2000 09:09 AM -0800, you wrote: hello, with 3.2 final I ran into the same problem as the message below. Is there a solution, so the 8080 is not necessary, now? Thanks, Juergen http://mikal.org/interests/java/tomcat_users/msg09581.html I am using Tomcat 3.2b6 with mod_jk. When accessing http://localhost:8080/examples/jsp/security/protected/index.jsp The login.jsp page works (posts) fine. However, when accessing through Apache, http://localhost/examples/jsp/security/protected/index.jsp, the login.jsp comes up but j_security_check is not found when I post. Has anyone else had this problem? Can I manually do the mapping from within web.xml? Thanks, Charlie __ Do You Yahoo!? Yahoo! Shopping - Thousands of Stores. Millions of Products. http://shopping.yahoo.com/ /* - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - */ Michael H. La Budde email: [EMAIL PROTECTED] Prosoft, Inc. phone: 414-860-6509 [EMAIL PROTECTED] fax: 414-860-7014 /* - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - */
