RE: j_security_check question

2002-07-02 Thread BBui 

Does it load the login form for you?


-Original Message-
From: Kevin Andryc [mailto:[EMAIL PROTECTED]] 
Sent: Tuesday, July 02, 2002 11:45 AM
To: Tomcat Users List
Subject: j_security_check question

I am using a servlet as a login form that uses  "j_security_check". When
submitted I would like it to return back to the same servlet with the person
now authenticated except that it gives me the error:

Type Status report
message Invalid direct reference to form login page
description The request sent by the client was syntactically incorrect
(Invalid direct reference to form login page).

Here is my web.xml file:


  Example Security Constraint
  
 Protected Area
 
 /servlet/*
 
 DELETE
 GET
 POST
 PUT
  
  
 
 user
  


   

  FORM
  Example Form-Based Authentication Area
  
/servlet/CustomLogin
/jsp/security/error.jsp
  


I have searched through the archives and it appears no one responded. Anyone
have a solution?

Sincerely,
Kevin

Kevin Andryc
Web Systems Engineer
MISER
http://www.umass.edu/miser/
Phone: (413)-545-3460
[EMAIL PROTECTED]





--
To unsubscribe, e-mail:

For additional commands, e-mail:

RE: j_security_check question

2002-07-02 Thread Kevin Andryc 

When I type in the URL:

http://localhost:8080/dev/servlet/CustomLogin

The form loads with the respective "username" and "password" fields. But
when I submit the form to be authenticated, that is when the error appears.

Sincerely,
Kevin

Kevin Andryc
Web Systems Engineer
MISER
http://www.umass.edu/miser/
Phone: (413)-545-3460
[EMAIL PROTECTED]



-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, July 02, 2002 12:58 PM
To: [EMAIL PROTECTED]
Subject: RE: j_security_check question

Does it load the login form for you?


-Original Message-
From: Kevin Andryc [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, July 02, 2002 11:45 AM
To: Tomcat Users List
Subject: j_security_check question

I am using a servlet as a login form that uses  "j_security_check". When
submitted I would like it to return back to the same servlet with the person
now authenticated except that it gives me the error:

Type Status report
message Invalid direct reference to form login page
description The request sent by the client was syntactically incorrect
(Invalid direct reference to form login page).

Here is my web.xml file:


  Example Security Constraint
  
 Protected Area
 
 /servlet/*
 
 DELETE
 GET
 POST
 PUT
  
  
 
 user
  


   

  FORM
  Example Form-Based Authentication Area
  
/servlet/CustomLogin
/jsp/security/error.jsp
  


I have searched through the archives and it appears no one responded. Anyone
have a solution?

Sincerely,
Kevin

Kevin Andryc
Web Systems Engineer
MISER
http://www.umass.edu/miser/
Phone: (413)-545-3460
[EMAIL PROTECTED]





--
To unsubscribe, e-mail:
<mailto:[EMAIL PROTECTED]>
For additional commands, e-mail:
<mailto:[EMAIL PROTECTED]>


--
To unsubscribe, e-mail:   <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>

RE: j_security_check question

2002-07-02 Thread John Gregg 

Is CustomLogin a resource at a protected URL, or is it a servlet that itself
spits out a login page?  You can't access j_security_check directly.
Instead, you need to access a protected URL, the container sees that you're
not logged-in and redirects you to the login form, you submit the login
form, and finally the container sends you to the original resource you
requested.

john

-Original Message-
From:
[EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED].
org]On Behalf Of Kevin Andryc
Sent: Tuesday, July 02, 2002 12:09 PM
To: Tomcat Users List
Subject: RE: j_security_check question


When I type in the URL:

http://localhost:8080/dev/servlet/CustomLogin

The form loads with the respective "username" and "password" fields. But
when I submit the form to be authenticated, that is when the error appears.

Sincerely,
Kevin


--
To unsubscribe, e-mail:   <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>

RE: j_security_check question

2002-07-02 Thread Kevin Andryc 

CustomLogin.class is a resource at a protected URL which also contains the
login form. So here is how it works (or how I would like it to work). I have
a CustomLogin class:

CustomLogin.class (located in /dev/WEB-INF/classes/)
public class CustomLogin extends HttpServlet  {
public CustomLogin() {
super();
}

public void doGet(HttpServletRequest request, HttpServletResponse response)
{
performTask(request, response);
}

public void doPost(HttpServletRequest request, HttpServletResponse
response) {
performTask(request, response);
}

public void performTask(HttpServletRequest request, HttpServletResponse
response) {

try {
String jspPage = "login.jsp";
RequestDispatcher rd =
getServletContext().getRequestDispatcher("/jsp/security/" + jspPage);
rd.forward(request, response);

}
catch(Exception e) {
e.printStackTrace();
}
}
}

login.jsp (located in /dev/jsp/security/)



Login Page for Examples


  

  Username:
  


  Password:
  


  
  

  




web.xml


  Example Security Constraint
  
 Protected Area
 
 /servlet/*
 
 DELETE
 GET
 POST
 PUT
  
  
 
 user
  


   

  FORM
  Example Form-Based Authentication Area
  
/servlet/CustomLogin
/jsp/security/error.jsp
  


The user will type in the URL:
http://localhost:8080/dev/servlet/CustomLogin. The login form does appear.
But once I enter the login information (username and password) the "Invalid
direct reference to form login page" appears. What I want it to have the
user type in http://localhost:8080/dev/servlet/CustomLogin and login. If
they are successful, then it should then direct them to the CustomLogin
servlet so I can get the user information and customize the page according
to who is logged in. I hope this makes sense. I just can't seem to get it to
work or how to make it work.

Thanks,
Kevin

Kevin Andryc
Web Systems Engineer
MISER
http://www.umass.edu/miser/
Phone: (413)-545-3460
[EMAIL PROTECTED]



-Original Message-
From: John Gregg [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, July 02, 2002 02:25 PM
To: 'Tomcat Users List'
Subject: RE: j_security_check question

Is CustomLogin a resource at a protected URL, or is it a servlet that itself
spits out a login page?  You can't access j_security_check directly.
Instead, you need to access a protected URL, the container sees that you're
not logged-in and redirects you to the login form, you submit the login
form, and finally the container sends you to the original resource you
requested.

john

-Original Message-
From:
[EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED].
org]On Behalf Of Kevin Andryc
Sent: Tuesday, July 02, 2002 12:09 PM
To: Tomcat Users List
Subject: RE: j_security_check question


When I type in the URL:

http://localhost:8080/dev/servlet/CustomLogin

The form loads with the respective "username" and "password" fields. But
when I submit the form to be authenticated, that is when the error appears.

Sincerely,
Kevin


--
To unsubscribe, e-mail:
<mailto:[EMAIL PROTECTED]>
For additional commands, e-mail:
<mailto:[EMAIL PROTECTED]>


--
To unsubscribe, e-mail:   <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>

RE: j_security_check question

2002-07-02 Thread John Gregg 

No can do-ski.  The container needs to know where to send the user upon
successful authentication, but if your application presents a form to a user
that gets submitted to j_security_check, the Tomcat authentication stuff
won't know where to send the user when the operation completes.  Your
web.xml and login.jsp look ok.  You just don't want your application to
serve a page that goes to j_security_check directly.  Instead, Tomcat
decides automagically when you need to login.  It then inserts itself into
the application flow by remembering where the user was trying to go, sending
the login page that you specify, then redirecting (or forwarding?) the user
to that place upon successful login.  Before using container-managed
security I was so used to creating AND SERVING my own login pages that it
took a while to wrap my brain around the fact that I no longer had to do
stuff like "if (req.getSession(false)) == null) then send login page"
Just code your servlet to do what you want and let Tomcat worry about
when/if to present the login page.  The URL you'll access will be the
servlet or jsp that kicks off your business logic, not the login logic.

john


-Original Message-
From:
[EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED].
org]On Behalf Of Kevin Andryc
Sent: Tuesday, July 02, 2002 1:40 PM
To: Tomcat Users List; [EMAIL PROTECTED]
Subject: RE: j_security_check question


CustomLogin.class is a resource at a protected URL which also contains the
login form. So here is how it works (or how I would like it to work). I have
a CustomLogin class:

CustomLogin.class (located in /dev/WEB-INF/classes/)
public class CustomLogin extends HttpServlet  {
public CustomLogin() {
super();
}

public void doGet(HttpServletRequest request, HttpServletResponse response)
{
performTask(request, response);
}

public void doPost(HttpServletRequest request, HttpServletResponse
response) {
performTask(request, response);
}

public void performTask(HttpServletRequest request, HttpServletResponse
response) {

try {
String jspPage = "login.jsp";
RequestDispatcher rd =
getServletContext().getRequestDispatcher("/jsp/security/" + jspPage);
rd.forward(request, response);

}
catch(Exception e) {
e.printStackTrace();
}
}
}

login.jsp (located in /dev/jsp/security/)



Login Page for Examples


  

  Username:
  


  Password:
  


  
  

  




web.xml


  Example Security Constraint
  
 Protected Area
 
 /servlet/*
 
 DELETE
 GET
 POST
 PUT
  
  
 
 user
  


   

  FORM
  Example Form-Based Authentication Area
  
/servlet/CustomLogin
/jsp/security/error.jsp
  


The user will type in the URL:
http://localhost:8080/dev/servlet/CustomLogin. The login form does appear.
But once I enter the login information (username and password) the "Invalid
direct reference to form login page" appears. What I want it to have the
user type in http://localhost:8080/dev/servlet/CustomLogin and login. If
they are successful, then it should then direct them to the CustomLogin
servlet so I can get the user information and customize the page according
to who is logged in. I hope this makes sense. I just can't seem to get it to
work or how to make it work.

Thanks,
Kevin

Kevin Andryc
Web Systems Engineer
MISER
http://www.umass.edu/miser/
Phone: (413)-545-3460
[EMAIL PROTECTED]


--
To unsubscribe, e-mail:   <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>

RE: j_security_check question

2002-07-03 Thread Kevin Andryc 

OK, so here is where I am at. I have such that, when a user tries to access
a servlet (e.g.: http://localhost:8080/dev/servlet/ProtectedPage) they get
forwarded to a Login JSP page specified by my web.xml. Here is the problem,
when the user tries to login the Login form appears again, yet the URL is
shown as http://localhost:8080/dev/servlet/ProtectedPage. Why doesn't my
ProtectedPage servlet appear? I am really stuck. Below is my web.xml file:


  Example Security Constraint
  
 Protected Area
 
 /servlet/*
 /jsp/security/*
 
 DELETE
 GET
 POST
 PUT
  
  
 
 user
 tomcat
  


   

  FORM
  Example Form-Based Authentication Area
  
/jsp/security/login.jsp
/jsp/security/error.jsp
  


Kevin Andryc
Web Systems Engineer
MISER
http://www.umass.edu/miser/
Phone: (413)-545-3460
[EMAIL PROTECTED]



-Original Message-
From: John Gregg [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, July 02, 2002 04:48 PM
To: 'Tomcat Users List'
Subject: RE: j_security_check question

No can do-ski.  The container needs to know where to send the user upon
successful authentication, but if your application presents a form to a user
that gets submitted to j_security_check, the Tomcat authentication stuff
won't know where to send the user when the operation completes.  Your
web.xml and login.jsp look ok.  You just don't want your application to
serve a page that goes to j_security_check directly.  Instead, Tomcat
decides automagically when you need to login.  It then inserts itself into
the application flow by remembering where the user was trying to go, sending
the login page that you specify, then redirecting (or forwarding?) the user
to that place upon successful login.  Before using container-managed
security I was so used to creating AND SERVING my own login pages that it
took a while to wrap my brain around the fact that I no longer had to do
stuff like "if (req.getSession(false)) == null) then send login page"
Just code your servlet to do what you want and let Tomcat worry about
when/if to present the login page.  The URL you'll access will be the
servlet or jsp that kicks off your business logic, not the login logic.

john


-Original Message-
From:
[EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED].
org]On Behalf Of Kevin Andryc
Sent: Tuesday, July 02, 2002 1:40 PM
To: Tomcat Users List; [EMAIL PROTECTED]
Subject: RE: j_security_check question


CustomLogin.class is a resource at a protected URL which also contains the
login form. So here is how it works (or how I would like it to work). I have
a CustomLogin class:

CustomLogin.class (located in /dev/WEB-INF/classes/)
public class CustomLogin extends HttpServlet  {
public CustomLogin() {
super();
}

public void doGet(HttpServletRequest request, HttpServletResponse
response)
{
performTask(request, response);
}

public void doPost(HttpServletRequest request, HttpServletResponse
response) {
performTask(request, response);
}

public void performTask(HttpServletRequest request,
HttpServletResponse
response) {

try {
String jspPage = "login.jsp";
RequestDispatcher rd =
getServletContext().getRequestDispatcher("/jsp/security/" + jspPage);
rd.forward(request, response);

}
catch(Exception e) {
e.printStackTrace();
}
}
}

login.jsp (located in /dev/jsp/security/)



Login Page for Examples


  

  Username:
  


  Password:
  


  
  

  




web.xml


  Example Security Constraint
  
 Protected Area
 
 /servlet/*
 
 DELETE
 GET
 POST
 PUT
  
  
 
 user
  


   

  FORM
  Example Form-Based Authentication Area
  
/servlet/CustomLogin
/jsp/security/error.jsp
  


The user will type in the URL:
http://localhost:8080/dev/servlet/CustomLogin. The login form does appear.
But once I enter the login information (username and password) the "Invalid
direct reference to form login page" appears. What I want it to have the
user type in http://localhost:8080/dev/servlet/CustomLogin and login. If
they are successful, then it should then direct them to the CustomLogin
servlet so I can get the user information and customize the page according
to who is logged in. I hope this makes sense. I just can't seem to get it to
work or how to make it work.

Thanks,
Kevin

Kevin Andryc
Web Systems Engineer
MISER
http://www.umass.edu/miser/
Phone: (413)-545-3460
[EMAIL PROTECTED]


--
To unsu

RE: j_security_check question

2002-07-03 Thread John Gregg 

Hmmm.  Your auth constraint protects the login.jsp itself.  Try changing
that so the login.jsp is not protected.  Maybe you have a chicken and egg
problem.

john


-Original Message-
From:
[EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED].
org]On Behalf Of Kevin Andryc
Sent: Wednesday, July 03, 2002 11:56 AM
To: Tomcat Users List; [EMAIL PROTECTED]
Subject: RE: j_security_check question


OK, so here is where I am at. I have such that, when a user tries to access
a servlet (e.g.: http://localhost:8080/dev/servlet/ProtectedPage) they get
forwarded to a Login JSP page specified by my web.xml. Here is the problem,
when the user tries to login the Login form appears again, yet the URL is
shown as http://localhost:8080/dev/servlet/ProtectedPage. Why doesn't my
ProtectedPage servlet appear? I am really stuck. Below is my web.xml file:


  Example Security Constraint
  
 Protected Area
 
 /servlet/*
 /jsp/security/*
 
 DELETE
 GET
 POST
 PUT
  
  
 
 user
 tomcat
  


   

  FORM
  Example Form-Based Authentication Area
  
/jsp/security/login.jsp
/jsp/security/error.jsp
  


Kevin Andryc
Web Systems Engineer
MISER
http://www.umass.edu/miser/
Phone: (413)-545-3460
[EMAIL PROTECTED]


--
To unsubscribe, e-mail:   <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>

RE: j_security_check question

2002-07-03 Thread Craig R. McClanahan 



On Wed, 3 Jul 2002, John Gregg wrote:

> Date: Wed, 3 Jul 2002 12:59:57 -0500
> From: John Gregg <[EMAIL PROTECTED]>
> Reply-To: Tomcat Users List <[EMAIL PROTECTED]>,
>  [EMAIL PROTECTED]
> To: 'Tomcat Users List' <[EMAIL PROTECTED]>
> Subject: RE: j_security_check question
>
> Hmmm.  Your auth constraint protects the login.jsp itself.  Try changing
> that so the login.jsp is not protected.  Maybe you have a chicken and egg
> problem.
>

IIRC, this is definitely an issue in Tomcat 3.3.  Tomcat 4 has a bunch of
special case checks so that the login page will be displayed anyway, even
if it is in the protected area.  Otherwise, you could never use a security
constraint with a URL pattern like "/*" that protected the entire webapp.

> john
>

Craig


>
> -Original Message-
> From:
> [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED].
> org]On Behalf Of Kevin Andryc
> Sent: Wednesday, July 03, 2002 11:56 AM
> To: Tomcat Users List; [EMAIL PROTECTED]
> Subject: RE: j_security_check question
>
>
> OK, so here is where I am at. I have such that, when a user tries to access
> a servlet (e.g.: http://localhost:8080/dev/servlet/ProtectedPage) they get
> forwarded to a Login JSP page specified by my web.xml. Here is the problem,
> when the user tries to login the Login form appears again, yet the URL is
> shown as http://localhost:8080/dev/servlet/ProtectedPage. Why doesn't my
> ProtectedPage servlet appear? I am really stuck. Below is my web.xml file:
>
> 
>   Example Security Constraint
>   
>  Protected Area
>
>  /servlet/*
>/jsp/security/*
>
>DELETE
>  GET
>  POST
>PUT
>   
>   
>  
>  user
>tomcat
>   
> 
>
>
> 
>   FORM
>   Example Form-Based Authentication Area
>   
> /jsp/security/login.jsp
> /jsp/security/error.jsp
>   
> 
>
> Kevin Andryc
> Web Systems Engineer
> MISER
> http://www.umass.edu/miser/
> Phone: (413)-545-3460
> [EMAIL PROTECTED]
>
>
> --
> To unsubscribe, e-mail:   <mailto:[EMAIL PROTECTED]>
> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
>
>


--
To unsubscribe, e-mail:   <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>

Re: j_security_check question

2001-03-10 Thread Thomas Riemer 

Most likely you are missing a JkMount statement.
You need to tell your web server that /j_security_check exists.

JkMount /j_security_check ajp12

Carlos Alonso wrote:

> Working with apache and tomcat found a problem with j_security_check
> using jdbcrealm.
>
> As j_security_check is an URI handled by tomcat and no (separate) class
> exists,  apache complains with no found error (seeking for
> j_security_check) trying to check us/pswd. Is there any way to use
> form-based security working with apache+tomcat?
>
> Thanks in advance
>
> Carlos
>
> -
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, email: [EMAIL PROTECTED]


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, email: [EMAIL PROTECTED]

RE: j_security_check question: RequestDispatcher .forward!!

2002-07-03 Thread Kevin Andryc 

OK,
So I found that I can access my servlet if I don't use the
RequestDispatcher .forward method. In other words, when I try and access my
page (e.g.: http://localhost:8080/dev/servlet/ProtectedPage) I get a login
JSP form that I specified. When I login successfully,the login page
reappears when, in my ProtectedPage servlet, I use the RequestDispatcher
.forward method instead of using a PrintWriter to send back the response.
Why can I not use the RequestDispatcher, if I can, how???

Below is some code.

Web.xml

  Example Security Constraint
  
 Protected Area
 
 /servlet/*
 /jsp/security/*
 
 DELETE
 GET
 POST
 PUT
  
  
 
 user
 tomcat
  


   

  FORM
  Example Form-Based Authentication Area
  
/jsp/security/login.jsp
/jsp/security/error.jsp
  


ProtectedPage.java
public class ProtectedPage extends HttpServlet  {

// Default constructor
public ProtectedPage() {
super();
}

public void doGet(HttpServletRequest request, HttpServletResponse response)
{
performTask(request, response);
}

public void doPost(HttpServletRequest request, HttpServletResponse
response) {
performTask(request, response);
}

public void performTask(HttpServletRequest request, HttpServletResponse
response) {

try {
String jspPage = "index.jsp";
RequestDispatcher rd =
getServletContext().getRequestDispatcher("/jsp/security/" + jspPage);
rd.forward(request, response);
}
catch(Exception e) {
e.printStackTrace();
}
}
}

index.jsp


Protected Page for Examples



You are logged in as remote user <%= request.getRemoteUser() %>
in session <%= session.getId() %>

<%
  if (request.getUserPrincipal() != null) {
%>
Your user principal name is
<%= request.getUserPrincipal().getName() %>
<%
  } else {
%>
No user principal could be identified.
<%
  }
%>

<%
  String role = request.getParameter("role");
  if (role == null)
role = "";
  if (role.length() > 0) {
if (request.isUserInRole(role)) {
%>
  You have been granted role <%= role %>
<%
} else {
%>
  You have not been granted role <%= role %>
<%
}
  }
%>



Kevin Andryc
Web Systems Engineer
MISER
http://www.umass.edu/miser/
Phone: (413)-545-3460
[EMAIL PROTECTED]



-Original Message-
From: John Gregg [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, July 02, 2002 04:48 PM
To: 'Tomcat Users List'
Subject: RE: j_security_check question

No can do-ski.  The container needs to know where to send the user upon
successful authentication, but if your application presents a form to a user
that gets submitted to j_security_check, the Tomcat authentication stuff
won't know where to send the user when the operation completes.  Your
web.xml and login.jsp look ok.  You just don't want your application to
serve a page that goes to j_security_check directly.  Instead, Tomcat
decides automagically when you need to login.  It then inserts itself into
the application flow by remembering where the user was trying to go, sending
the login page that you specify, then redirecting (or forwarding?) the user
to that place upon successful login.  Before using container-managed
security I was so used to creating AND SERVING my own login pages that it
took a while to wrap my brain around the fact that I no longer had to do
stuff like "if (req.getSession(false)) == null) then send login page"
Just code your servlet to do what you want and let Tomcat worry about
when/if to present the login page.  The URL you'll access will be the
servlet or jsp that kicks off your business logic, not the login logic.

john


-Original Message-
From:
[EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED].
org]On Behalf Of Kevin Andryc
Sent: Tuesday, July 02, 2002 1:40 PM
To: Tomcat Users List; [EMAIL PROTECTED]
Subject: RE: j_security_check question


CustomLogin.class is a resource at a protected URL which also contains the
login form. So here is how it works (or how I would like it to work). I have
a CustomLogin class:

CustomLogin.class (located in /dev/WEB-INF/classes/)
public class CustomLogin extends HttpServlet  {
public CustomLogin() {
super();
}

public void doGet(HttpServletRequest request, HttpServletResponse
response)
{
performTask(request, response);
}

public void doPost(HttpServletRequest request, HttpServletResponse
response) {
performTask(request, response);
}

public vo

RE: j_security_check question: RequestDispatcher .forward!! PLZ HELP!

2002-07-08 Thread Kevin Andryc 

I was wondering if anyone had an answer to this or should I e-mail the
Developers group? I found this snippet on the web and tried what they
suggested and it still doesn't work:

[begin quote]

One approach that will work in Tomcat 4.0 (because it was planned that way
in
the servlet 2.3 spec) is based on the following reasoning:

* Security constraints are imposed only on the original request URI,
  not when doing RequestDispatcher.include or RequestDispatcher.forward

* Therefore, we can prohibit direct access to servlets (or JSP pages) by
  protecting them with a security constraint that disallowed access.

* In 2.3, if you define a security contraint that has an 
  element with no nested  elements, the container interprets
  this to mean that absolutely no direct access to the protected URIs
  is allowed via requests -- they can only be accessed indirectly via
  a RequestDispatcher.

* You can simulate this behavior in 2.2 by using a security constraint with
  a  to which no users have been assigned.

Doing this forces all requests to come through your controller servlet,
because
none of the JSP pages would be directly accessible.

[end quote]

Kevin

Kevin Andryc
Web Systems Engineer
MISER
http://www.umass.edu/miser/
Phone: (413)-545-3460
[EMAIL PROTECTED]



-Original Message-
From: Kevin Andryc [mailto:[EMAIL PROTECTED]]
Sent: Thursday, July 04, 2002 05:31 PM
To: Tomcat Users List
Subject: RE: j_security_check question: RequestDispatcher .forward!! PLZ
HELP!

I am currently using Tomcat 4.0.4. My problem is that when I use the
RequestDispatcher and forward the request to the index.jsp page, it does not
work. Instead I get the login page. If you look at ProtectedPage.java, you
can see I forward the request to the index.jsp page. If it worked correctly,
I would type in (http://localhost:8080/dev/servlet/ProtectedPage) and a
login prompt would appear (login.jsp). Once I successfully logged in, I
should then go to my servlet (ProtectedPage), which should show index.jsp.
Instead, I get the login.jsp form when I successfully log in. When I changed
the ProtectedPage.java code so that it doesn't use the RequestDispatcher and
instead used a PrintWriter, it works fine. My question is, why can I not use
the RequestDispatcher??

Thanks for your help :).

Kevin

Kevin Andryc
Web Systems Engineer
MISER
http://www.umass.edu/miser/
Phone: (413)-545-3460
[EMAIL PROTECTED]



-Original Message-
From: Craig R. McClanahan [mailto:[EMAIL PROTECTED]]
Sent: Thursday, July 04, 2002 05:25 PM
To: Tomcat Users List
Subject: Re: j_security_check question: RequestDispatcher .forward!! PLZ
HELP!


On Thu, 4 Jul 2002, Kevin Andryc wrote:

> Date: Thu, 04 Jul 2002 15:46:04 -0400
> From: Kevin Andryc <[EMAIL PROTECTED]>
> Reply-To: Tomcat Users List <[EMAIL PROTECTED]>
> To: Tomcat Users List <[EMAIL PROTECTED]>
> Subject: j_security_check question: RequestDispatcher .forward!! PLZ HELP!
>
> OK,
> So I found that I can access my servlet if I don't use the
> RequestDispatcher .forward method. In other words, when I try and access
my
> page (e.g.: http://localhost:8080/dev/servlet/ProtectedPage) I get a login
> JSP form that I specified. When I login successfully,the login page
> reappears when, in my ProtectedPage servlet, I use the RequestDispatcher
> .forward method instead of using a PrintWriter to send back the response.
> Why can I not use the RequestDispatcher, if I can, how???
>

If you are using Tomcat 3.x, you'll have a problem with your example code
below, because you've got the form login page inside your protected area.
That works fine in Tomcat 4, however.  In Tomcat 3, move your login page
to some directory that is *not* protected by a security constraint.

What is not obvious from your question is what it is, exactly, that you
are asking.  You seem to claim that you cannot use a request dispatcher,
but your code is doing exactly that.  So what is the problem?

Craig


> Below is some code.
>
> Web.xml
> 
>   Example Security Constraint
>   
>  Protected Area
>
>  /servlet/*
>/jsp/security/*
>
>DELETE
>  GET
>  POST
>PUT
>   
>   
>  
>  user
>tomcat
>   
> 
>
>
> 
>   FORM
>   Example Form-Based Authentication Area
>   
>   /jsp/security/login.jsp
> /jsp/security/error.jsp
>   
> 
>
> ProtectedPage.java
> public class ProtectedPage extends HttpServlet  {
>
>   // Default constructor
>   public ProtectedPage() {
>   super();
>   }
>
>   public void doGet(HttpServletRequest request, HttpServletResponse
response)
> {
>   performTask(request, response);
>   }
>
>   pu