Re: Form Based Authenticattion - j_security_check does not redirect from http to https
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 SKantS, SKantS wrote: > Also, I have redirected all my requests for port-80 to port-443. How did you do this? > Except, when I open the http://localhost//j_security_check page it > does not get redirected and stays on http. This is the only page showing > this deviation in behavior. Are you entering that URL directly (by typing it into your browser), or are you submitting your login.jsp to j_security_check? When the redirect does not happen, does the URL in your browser show j_security_check, or some other URL (presumably the URL you tried to access before being challenged for your username and password). > For example, the http://localhost//security_check page gets > redirected to https, and the same goes for my login page and all other pages > in my app. > > Is this a known issue or is there a configuration that I am unaware of. I would highly recommend upgrading to the latest 5.5.x version of Tomcat: lots and lots and lots of stuff has been fixed. Perhaps this is one of them. You could always check the changelog: http://tomcat.apache.org/tomcat-5.5-doc/changelog.html - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkk+9zAACgkQ9CaO5/Lv0PDDqACgsBdYCvei8hf0TaW40KF0OadW RjEAnA/v4shDndKr/11Tm8OG8zbTgYos =8iP4 -END PGP SIGNATURE- - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Form Based Authenticattion - j_security_check does not redirect from http to https
SKantS wrote: > > > Justin Randall-5 wrote: >> >> Hello, >> >> Are you using other filters? >> >> If you are you will need the method to look like the below: >> >> public void doFilter(ServletRequest request, ServletResponse response, >> FilterChain filterChain) throws IOException, ServletException { >> HttpServletRequest req = (HttpServletRequest) request; >> HttpServletResponse rsp = (HttpServletResponse) response; >> rsp.sendRedirect(req.getRequestURI()); >> filterChain.doFilter(request, response); >> } >> >> However, from the looks of your stack trace the problem is with your >> "login.jsp?action=error" page. You need to review your code to figure out >> where and how it is trying to create an HttpSession (presumably in the >> login error page) after a failed login attempt. >> >> Regards, >> >> Justin >> >> > > Yes, I got the issue related to the exception resolved. > > But the concern right now is that I am not able to intercept the > j_security_check page call in my doFilter method. > When I open the j_security_check page, I start getting the request for the > resources like images, css etc on this login page but no request for > j_security page is present in the doFilter method. > > Is there a way I can intercept the j_security_page call ? > j_security_check occurs in a valve, below the processing level of servlets and filters, so you can't intercept it. p - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Form Based Authenticattion - j_security_check does not redirect from http to https
Justin Randall-5 wrote: > > > Hello, > > Are you using other filters? > > If you are you will need the method to look like the below: > > public void doFilter(ServletRequest request, ServletResponse response, > FilterChain filterChain) throws IOException, ServletException { > HttpServletRequest req = (HttpServletRequest) request; > HttpServletResponse rsp = (HttpServletResponse) response; > rsp.sendRedirect(req.getRequestURI()); > filterChain.doFilter(request, response); > } > > However, from the looks of your stack trace the problem is with your > "login.jsp?action=error" page. You need to review your code to figure out > where and how it is trying to create an HttpSession (presumably in the > login error page) after a failed login attempt. > > Regards, > > Justin > > Yes, I got the issue related to the exception resolved. But the concern right now is that I am not able to intercept the j_security_check page call in my doFilter method. When I open the j_security_check page, I start getting the request for the resources like images, css etc on this login page but no request for j_security page is present in the doFilter method. Is there a way I can intercept the j_security_page call ? -- View this message in context: http://www.nabble.com/Form-Based-Authenticattion---j_security_check-does-not-redirect-from-http-to-https-tp20910454p20914635.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Form Based Authenticattion - j_security_check does not redirect from http to https
Hello, Are you using other filters? If you are you will need the method to look like the below: public void doFilter(ServletRequest request, ServletResponse response, FilterChain filterChain) throws IOException, ServletException { HttpServletRequest req = (HttpServletRequest) request; HttpServletResponse rsp = (HttpServletResponse) response; rsp.sendRedirect(req.getRequestURI()); filterChain.doFilter(request, response); } However, from the looks of your stack trace the problem is with your "login.jsp?action=error" page. You need to review your code to figure out where and how it is trying to create an HttpSession (presumably in the login error page) after a failed login attempt. Regards, Justin > Date: Tue, 9 Dec 2008 02:29:53 -0800 > From: [EMAIL PROTECTED] > To: users@tomcat.apache.org > Subject: RE: Form Based Authenticattion - j_security_check does not redirect > from http to https > > > > Justin Randall-5 wrote: > > > > > > Hi again, > > > > I thought about this a little more and I think what you're experiencing > > might be as a result of the RequestDispatcher. > > > > When the RequestDispatcher "fowards" to a URL resource, it overrides the > > SSL/Authentication constraints you have setup. There is a way of getting > > around this (which also adds an additional layer of maintenance > > programming security in your code) by using Filters. > > > > Basically, in your web.xml you define a filter for your SSL protected > > pages: > > > > > > MyFilterClass > > my.package.MyFilterClass > > > > > > MyFilterClass > > /ssl/* > > FORWARD > > INCLUDE > > ERROR > > > > > > Below is a sample implementation of the "doFilter" that takes care of the > > redirecting: > > > > public void doFilter(ServletRequest request, ServletResponse response, > > FilterChain arg2) throws IOException, ServletException { > > HttpServletRequest req = (HttpServletRequest) request; > > HttpServletResponse rsp = (HttpServletResponse) response; > > rsp.sendRedirect(req.getRequestURI()); > > } > > > > > > > I tried this but I got the following exception and the j_security_check page > on http doesn't get redirected: > > java.lang.IllegalStateException: Cannot create a session after the response > has been committed > at org.apache.catalina.connector.Request.doGetSession(Request.java:2221) > at org.apache.catalina.connector.Request.getSession(Request.java:2031) > at > org.apache.catalina.connector.RequestFacade.getSession(RequestFacade.java:832) > at > javax.servlet.http.HttpServletRequestWrapper.getSession(HttpServletRequestWrapper.java:216) > at > org.apache.catalina.core.ApplicationHttpRequest.getSession(ApplicationHttpRequest.java:545) > at > org.apache.catalina.core.ApplicationHttpRequest.getSession(ApplicationHttpRequest.java:494) > at > org.apache.jasper.runtime.PageContextImpl._initialize(PageContextImpl.java:136) > at > org.apache.jasper.runtime.PageContextImpl.initialize(PageContextImpl.java:113) > at > org.apache.jasper.runtime.JspFactoryImpl.internalGetPageContext(JspFactoryImpl.java:105) > at > org.apache.jasper.runtime.JspFactoryImpl.getPageContext(JspFactoryImpl.java:62) > at org.apache.jsp.login_jsp._jspService(login_jsp.java:33) > at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:98) > at javax.servlet.http.HttpServlet.service(HttpServlet.java:803) > at > org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:331) > at > org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:329) > at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:265) > at javax.servlet.http.HttpServlet.service(HttpServlet.java:803) > at > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:269) > at > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188) > at com.solidcore.bl.servlet.TagFilter.doFilter(TagFilter.java:110) > at > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:215) > at > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188) > at > org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:691) > at > org.apache.catalina.core.ApplicationDispatcher.pr
RE: Form Based Authenticattion - j_security_check does not redirect from http to https
Justin Randall-5 wrote: > > > Hi again, > > I thought about this a little more and I think what you're experiencing > might be as a result of the RequestDispatcher. > > When the RequestDispatcher "fowards" to a URL resource, it overrides the > SSL/Authentication constraints you have setup. There is a way of getting > around this (which also adds an additional layer of maintenance > programming security in your code) by using Filters. > > Basically, in your web.xml you define a filter for your SSL protected > pages: > > > MyFilterClass > my.package.MyFilterClass > > > MyFilterClass > /ssl/* > FORWARD > INCLUDE > ERROR > > > Below is a sample implementation of the "doFilter" that takes care of the > redirecting: > > public void doFilter(ServletRequest request, ServletResponse response, > FilterChain arg2) throws IOException, ServletException { > HttpServletRequest req = (HttpServletRequest) request; > HttpServletResponse rsp = (HttpServletResponse) response; > rsp.sendRedirect(req.getRequestURI()); > } > > I tried this but I got the following exception and the j_security_check page on http doesn't get redirected: java.lang.IllegalStateException: Cannot create a session after the response has been committed at org.apache.catalina.connector.Request.doGetSession(Request.java:2221) at org.apache.catalina.connector.Request.getSession(Request.java:2031) at org.apache.catalina.connector.RequestFacade.getSession(RequestFacade.java:832) at javax.servlet.http.HttpServletRequestWrapper.getSession(HttpServletRequestWrapper.java:216) at org.apache.catalina.core.ApplicationHttpRequest.getSession(ApplicationHttpRequest.java:545) at org.apache.catalina.core.ApplicationHttpRequest.getSession(ApplicationHttpRequest.java:494) at org.apache.jasper.runtime.PageContextImpl._initialize(PageContextImpl.java:136) at org.apache.jasper.runtime.PageContextImpl.initialize(PageContextImpl.java:113) at org.apache.jasper.runtime.JspFactoryImpl.internalGetPageContext(JspFactoryImpl.java:105) at org.apache.jasper.runtime.JspFactoryImpl.getPageContext(JspFactoryImpl.java:62) at org.apache.jsp.login_jsp._jspService(login_jsp.java:33) at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:98) at javax.servlet.http.HttpServlet.service(HttpServlet.java:803) at org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:331) at org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:329) at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:265) at javax.servlet.http.HttpServlet.service(HttpServlet.java:803) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:269) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188) at com.solidcore.bl.servlet.TagFilter.doFilter(TagFilter.java:110) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:215) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188) at org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:691) at org.apache.catalina.core.ApplicationDispatcher.processRequest(ApplicationDispatcher.java:469) at org.apache.catalina.core.ApplicationDispatcher.doForward(ApplicationDispatcher.java:403) at org.apache.catalina.core.ApplicationDispatcher.forward(ApplicationDispatcher.java:301) at org.apache.catalina.authenticator.FormAuthenticator.forwardToErrorPage(FormAuthenticator.java:337) at org.apache.catalina.authenticator.FormAuthenticator.authenticate(FormAuthenticator.java:260) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:417) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:117) at org.apache.catalina.authenticator.SingleSignOn.invoke(SingleSignOn.java:393) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:108) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:151) at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:874) at org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.processConnection(Http11BaseProtocol.java:665) at org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:528) at org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollowerWorkerThread.java:81) at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:689) at java.lang.Thr
RE: Form Based Authenticattion - j_security_check does not redirect from http to https
Hi again, I thought about this a little more and I think what you're experiencing might be as a result of the RequestDispatcher. When the RequestDispatcher "fowards" to a URL resource, it overrides the SSL/Authentication constraints you have setup. There is a way of getting around this (which also adds an additional layer of maintenance programming security in your code) by using Filters. Basically, in your web.xml you define a filter for your SSL protected pages: MyFilterClass my.package.MyFilterClass MyFilterClass /ssl/* FORWARD INCLUDE ERROR Below is a sample implementation of the "doFilter" that takes care of the redirecting: public void doFilter(ServletRequest request, ServletResponse response, FilterChain arg2) throws IOException, ServletException { HttpServletRequest req = (HttpServletRequest) request; HttpServletResponse rsp = (HttpServletResponse) response; rsp.sendRedirect(req.getRequestURI()); } I hope this helps! Justin > From: [EMAIL PROTECTED] > To: users@tomcat.apache.org > Subject: RE: Form Based Authenticattion - j_security_check does not redirect > from http to https > Date: Tue, 9 Dec 2008 03:28:10 -0500 > > > Hello, > > Have you tried adding "j_security_check" to your web.xml for patterns which > should be redirected to SSL? > > Regards, > > Justin > > > Date: Tue, 9 Dec 2008 00:17:36 -0800 > > From: [EMAIL PROTECTED] > > To: users@tomcat.apache.org > > Subject: Form Based Authenticattion - j_security_check does not redirect > > from http to https > > > > > > Hi, > > > > > > > > I am using Apache Tomcat Version 5.5.2. I am running it on Windows XP > > Professional Service Pack 2. > > > > > > > > I have a form based authentication for my application: > > > > > > > > […] > > > > > > > > FORM > > > > Authentication Area > > > > > > > > /login.jsp > > > > /login.jsp?action=error > > > > > > > > > > > > […] > > > > > > > > > > > > Also, I have redirected all my requests for port-80 to port-443. So, > > whenever I try to open a page in http, it automatically gets redirected to > > https. This is working fine for all the pages. > > > > > > > > Except, when I open the http://localhost//j_security_check page it > > does not get redirected and stays on http. This is the only page showing > > this deviation in behavior. > > > > For example, the http://localhost//security_check page gets > > redirected to https, and the same goes for my login page and all other pages > > in my app. > > > > > > > > Is this a known issue or is there a configuration that I am unaware of. > > > > > > > > Thanks a lot. > > > > > > -- > > View this message in context: > > http://www.nabble.com/Form-Based-Authenticattion---j_security_check-does-not-redirect-from-http-to-https-tp20910454p20910454.html > > Sent from the Tomcat - User mailing list archive at Nabble.com. > > > > > > - > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > _ > _
RE: Form Based Authenticattion - j_security_check does not redirect from http to https
Hello, Have you tried adding "j_security_check" to your web.xml for patterns which should be redirected to SSL? Regards, Justin > Date: Tue, 9 Dec 2008 00:17:36 -0800 > From: [EMAIL PROTECTED] > To: users@tomcat.apache.org > Subject: Form Based Authenticattion - j_security_check does not redirect from > http to https > > > Hi, > > > > I am using Apache Tomcat Version 5.5.2. I am running it on Windows XP > Professional Service Pack 2. > > > > I have a form based authentication for my application: > > > > […] > > > > FORM > > Authentication Area > > > > /login.jsp > > /login.jsp?action=error > > > > > > […] > > > > > > Also, I have redirected all my requests for port-80 to port-443. So, > whenever I try to open a page in http, it automatically gets redirected to > https. This is working fine for all the pages. > > > > Except, when I open the http://localhost//j_security_check page it > does not get redirected and stays on http. This is the only page showing > this deviation in behavior. > > For example, the http://localhost//security_check page gets > redirected to https, and the same goes for my login page and all other pages > in my app. > > > > Is this a known issue or is there a configuration that I am unaware of. > > > > Thanks a lot. > > > -- > View this message in context: > http://www.nabble.com/Form-Based-Authenticattion---j_security_check-does-not-redirect-from-http-to-https-tp20910454p20910454.html > Sent from the Tomcat - User mailing list archive at Nabble.com. > > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > _