Re: Form Based Authenticattion - j_security_check does not redirect from http to https
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 SKantS, SKantS wrote: > Also, I have redirected all my requests for port-80 to port-443. How did you do this? > Except, when I open the http://localhost//j_security_check page it > does not get redirected and stays on http. This is the only page showing > this deviation in behavior. Are you entering that URL directly (by typing it into your browser), or are you submitting your login.jsp to j_security_check? When the redirect does not happen, does the URL in your browser show j_security_check, or some other URL (presumably the URL you tried to access before being challenged for your username and password). > For example, the http://localhost//security_check page gets > redirected to https, and the same goes for my login page and all other pages > in my app. > > Is this a known issue or is there a configuration that I am unaware of. I would highly recommend upgrading to the latest 5.5.x version of Tomcat: lots and lots and lots of stuff has been fixed. Perhaps this is one of them. You could always check the changelog: http://tomcat.apache.org/tomcat-5.5-doc/changelog.html - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkk+9zAACgkQ9CaO5/Lv0PDDqACgsBdYCvei8hf0TaW40KF0OadW RjEAnA/v4shDndKr/11Tm8OG8zbTgYos =8iP4 -END PGP SIGNATURE- - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Form Based Authenticattion - j_security_check does not redirect from http to https
SKantS wrote:
>
>
> Justin Randall-5 wrote:
>>
>> Hello,
>>
>> Are you using other filters?
>>
>> If you are you will need the method to look like the below:
>>
>> public void doFilter(ServletRequest request, ServletResponse response,
>> FilterChain filterChain) throws IOException, ServletException {
>> HttpServletRequest req = (HttpServletRequest) request;
>> HttpServletResponse rsp = (HttpServletResponse) response;
>> rsp.sendRedirect(req.getRequestURI());
>> filterChain.doFilter(request, response);
>> }
>>
>> However, from the looks of your stack trace the problem is with your
>> "login.jsp?action=error" page. You need to review your code to figure out
>> where and how it is trying to create an HttpSession (presumably in the
>> login error page) after a failed login attempt.
>>
>> Regards,
>>
>> Justin
>>
>>
>
> Yes, I got the issue related to the exception resolved.
>
> But the concern right now is that I am not able to intercept the
> j_security_check page call in my doFilter method.
> When I open the j_security_check page, I start getting the request for the
> resources like images, css etc on this login page but no request for
> j_security page is present in the doFilter method.
>
> Is there a way I can intercept the j_security_page call ?
>
j_security_check occurs in a valve, below the processing level of
servlets and filters, so you can't intercept it.
p
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
RE: Form Based Authenticattion - j_security_check does not redirect from http to https
Justin Randall-5 wrote:
>
>
> Hello,
>
> Are you using other filters?
>
> If you are you will need the method to look like the below:
>
> public void doFilter(ServletRequest request, ServletResponse response,
> FilterChain filterChain) throws IOException, ServletException {
> HttpServletRequest req = (HttpServletRequest) request;
> HttpServletResponse rsp = (HttpServletResponse) response;
> rsp.sendRedirect(req.getRequestURI());
> filterChain.doFilter(request, response);
> }
>
> However, from the looks of your stack trace the problem is with your
> "login.jsp?action=error" page. You need to review your code to figure out
> where and how it is trying to create an HttpSession (presumably in the
> login error page) after a failed login attempt.
>
> Regards,
>
> Justin
>
>
Yes, I got the issue related to the exception resolved.
But the concern right now is that I am not able to intercept the
j_security_check page call in my doFilter method.
When I open the j_security_check page, I start getting the request for the
resources like images, css etc on this login page but no request for
j_security page is present in the doFilter method.
Is there a way I can intercept the j_security_page call ?
--
View this message in context:
http://www.nabble.com/Form-Based-Authenticattion---j_security_check-does-not-redirect-from-http-to-https-tp20910454p20914635.html
Sent from the Tomcat - User mailing list archive at Nabble.com.
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
RE: Form Based Authenticattion - j_security_check does not redirect from http to https
Hello,
Are you using other filters?
If you are you will need the method to look like the below:
public void doFilter(ServletRequest request, ServletResponse response,
FilterChain filterChain) throws IOException, ServletException {
HttpServletRequest req = (HttpServletRequest) request;
HttpServletResponse rsp = (HttpServletResponse) response;
rsp.sendRedirect(req.getRequestURI());
filterChain.doFilter(request, response);
}
However, from the looks of your stack trace the problem is with your
"login.jsp?action=error" page. You need to review your code to figure out
where and how it is trying to create an HttpSession (presumably in the login
error page) after a failed login attempt.
Regards,
Justin
> Date: Tue, 9 Dec 2008 02:29:53 -0800
> From: [EMAIL PROTECTED]
> To: users@tomcat.apache.org
> Subject: RE: Form Based Authenticattion - j_security_check does not redirect
> from http to https
>
>
>
> Justin Randall-5 wrote:
> >
> >
> > Hi again,
> >
> > I thought about this a little more and I think what you're experiencing
> > might be as a result of the RequestDispatcher.
> >
> > When the RequestDispatcher "fowards" to a URL resource, it overrides the
> > SSL/Authentication constraints you have setup. There is a way of getting
> > around this (which also adds an additional layer of maintenance
> > programming security in your code) by using Filters.
> >
> > Basically, in your web.xml you define a filter for your SSL protected
> > pages:
> >
> >
> > MyFilterClass
> > my.package.MyFilterClass
> >
> >
> > MyFilterClass
> > /ssl/*
> > FORWARD
> > INCLUDE
> > ERROR
> >
> >
> > Below is a sample implementation of the "doFilter" that takes care of the
> > redirecting:
> >
> > public void doFilter(ServletRequest request, ServletResponse response,
> > FilterChain arg2) throws IOException, ServletException {
> > HttpServletRequest req = (HttpServletRequest) request;
> > HttpServletResponse rsp = (HttpServletResponse) response;
> > rsp.sendRedirect(req.getRequestURI());
> > }
> >
> >
>
>
> I tried this but I got the following exception and the j_security_check page
> on http doesn't get redirected:
>
> java.lang.IllegalStateException: Cannot create a session after the response
> has been committed
> at org.apache.catalina.connector.Request.doGetSession(Request.java:2221)
> at org.apache.catalina.connector.Request.getSession(Request.java:2031)
> at
> org.apache.catalina.connector.RequestFacade.getSession(RequestFacade.java:832)
> at
> javax.servlet.http.HttpServletRequestWrapper.getSession(HttpServletRequestWrapper.java:216)
> at
> org.apache.catalina.core.ApplicationHttpRequest.getSession(ApplicationHttpRequest.java:545)
> at
> org.apache.catalina.core.ApplicationHttpRequest.getSession(ApplicationHttpRequest.java:494)
> at
> org.apache.jasper.runtime.PageContextImpl._initialize(PageContextImpl.java:136)
> at
> org.apache.jasper.runtime.PageContextImpl.initialize(PageContextImpl.java:113)
> at
> org.apache.jasper.runtime.JspFactoryImpl.internalGetPageContext(JspFactoryImpl.java:105)
> at
> org.apache.jasper.runtime.JspFactoryImpl.getPageContext(JspFactoryImpl.java:62)
> at org.apache.jsp.login_jsp._jspService(login_jsp.java:33)
> at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:98)
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:803)
> at
> org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:331)
> at
> org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:329)
> at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:265)
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:803)
> at
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:269)
> at
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188)
> at com.solidcore.bl.servlet.TagFilter.doFilter(TagFilter.java:110)
> at
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:215)
> at
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188)
> at
> org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:691)
> at
> org.apache.catalina.core.ApplicationDispatcher.pr
RE: Form Based Authenticattion - j_security_check does not redirect from http to https
Justin Randall-5 wrote:
>
>
> Hi again,
>
> I thought about this a little more and I think what you're experiencing
> might be as a result of the RequestDispatcher.
>
> When the RequestDispatcher "fowards" to a URL resource, it overrides the
> SSL/Authentication constraints you have setup. There is a way of getting
> around this (which also adds an additional layer of maintenance
> programming security in your code) by using Filters.
>
> Basically, in your web.xml you define a filter for your SSL protected
> pages:
>
>
> MyFilterClass
> my.package.MyFilterClass
>
>
> MyFilterClass
> /ssl/*
> FORWARD
> INCLUDE
> ERROR
>
>
> Below is a sample implementation of the "doFilter" that takes care of the
> redirecting:
>
> public void doFilter(ServletRequest request, ServletResponse response,
> FilterChain arg2) throws IOException, ServletException {
> HttpServletRequest req = (HttpServletRequest) request;
> HttpServletResponse rsp = (HttpServletResponse) response;
> rsp.sendRedirect(req.getRequestURI());
> }
>
>
I tried this but I got the following exception and the j_security_check page
on http doesn't get redirected:
java.lang.IllegalStateException: Cannot create a session after the response
has been committed
at org.apache.catalina.connector.Request.doGetSession(Request.java:2221)
at org.apache.catalina.connector.Request.getSession(Request.java:2031)
at
org.apache.catalina.connector.RequestFacade.getSession(RequestFacade.java:832)
at
javax.servlet.http.HttpServletRequestWrapper.getSession(HttpServletRequestWrapper.java:216)
at
org.apache.catalina.core.ApplicationHttpRequest.getSession(ApplicationHttpRequest.java:545)
at
org.apache.catalina.core.ApplicationHttpRequest.getSession(ApplicationHttpRequest.java:494)
at
org.apache.jasper.runtime.PageContextImpl._initialize(PageContextImpl.java:136)
at
org.apache.jasper.runtime.PageContextImpl.initialize(PageContextImpl.java:113)
at
org.apache.jasper.runtime.JspFactoryImpl.internalGetPageContext(JspFactoryImpl.java:105)
at
org.apache.jasper.runtime.JspFactoryImpl.getPageContext(JspFactoryImpl.java:62)
at org.apache.jsp.login_jsp._jspService(login_jsp.java:33)
at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:98)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:803)
at
org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:331)
at
org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:329)
at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:265)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:803)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:269)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188)
at com.solidcore.bl.servlet.TagFilter.doFilter(TagFilter.java:110)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:215)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188)
at
org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:691)
at
org.apache.catalina.core.ApplicationDispatcher.processRequest(ApplicationDispatcher.java:469)
at
org.apache.catalina.core.ApplicationDispatcher.doForward(ApplicationDispatcher.java:403)
at
org.apache.catalina.core.ApplicationDispatcher.forward(ApplicationDispatcher.java:301)
at
org.apache.catalina.authenticator.FormAuthenticator.forwardToErrorPage(FormAuthenticator.java:337)
at
org.apache.catalina.authenticator.FormAuthenticator.authenticate(FormAuthenticator.java:260)
at
org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:417)
at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:117)
at
org.apache.catalina.authenticator.SingleSignOn.invoke(SingleSignOn.java:393)
at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:108)
at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:151)
at
org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:874)
at
org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.processConnection(Http11BaseProtocol.java:665)
at
org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:528)
at
org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollowerWorkerThread.java:81)
at
org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:689)
at java.lang.Thr
RE: Form Based Authenticattion - j_security_check does not redirect from http to https
Hi again,
I thought about this a little more and I think what you're experiencing might
be as a result of the RequestDispatcher.
When the RequestDispatcher "fowards" to a URL resource, it overrides the
SSL/Authentication constraints you have setup. There is a way of getting
around this (which also adds an additional layer of maintenance programming
security in your code) by using Filters.
Basically, in your web.xml you define a filter for your SSL protected pages:
MyFilterClass
my.package.MyFilterClass
MyFilterClass
/ssl/*
FORWARD
INCLUDE
ERROR
Below is a sample implementation of the "doFilter" that takes care of the
redirecting:
public void doFilter(ServletRequest request, ServletResponse response,
FilterChain arg2) throws IOException, ServletException {
HttpServletRequest req = (HttpServletRequest) request;
HttpServletResponse rsp = (HttpServletResponse) response;
rsp.sendRedirect(req.getRequestURI());
}
I hope this helps!
Justin
> From: [EMAIL PROTECTED]
> To: users@tomcat.apache.org
> Subject: RE: Form Based Authenticattion - j_security_check does not redirect
> from http to https
> Date: Tue, 9 Dec 2008 03:28:10 -0500
>
>
> Hello,
>
> Have you tried adding "j_security_check" to your web.xml for patterns which
> should be redirected to SSL?
>
> Regards,
>
> Justin
>
> > Date: Tue, 9 Dec 2008 00:17:36 -0800
> > From: [EMAIL PROTECTED]
> > To: users@tomcat.apache.org
> > Subject: Form Based Authenticattion - j_security_check does not redirect
> > from http to https
> >
> >
> > Hi,
> >
> >
> >
> > I am using Apache Tomcat Version 5.5.2. I am running it on Windows XP
> > Professional Service Pack 2.
> >
> >
> >
> > I have a form based authentication for my application:
> >
> >
> >
> > […]
> >
> >
> >
> > FORM
> >
> > Authentication Area
> >
> >
> >
> > /login.jsp
> >
> > /login.jsp?action=error
> >
> >
> >
> >
> >
> > […]
> >
> >
> >
> >
> >
> > Also, I have redirected all my requests for port-80 to port-443. So,
> > whenever I try to open a page in http, it automatically gets redirected to
> > https. This is working fine for all the pages.
> >
> >
> >
> > Except, when I open the http://localhost//j_security_check page it
> > does not get redirected and stays on http. This is the only page showing
> > this deviation in behavior.
> >
> > For example, the http://localhost//security_check page gets
> > redirected to https, and the same goes for my login page and all other pages
> > in my app.
> >
> >
> >
> > Is this a known issue or is there a configuration that I am unaware of.
> >
> >
> >
> > Thanks a lot.
> >
> >
> > --
> > View this message in context:
> > http://www.nabble.com/Form-Based-Authenticattion---j_security_check-does-not-redirect-from-http-to-https-tp20910454p20910454.html
> > Sent from the Tomcat - User mailing list archive at Nabble.com.
> >
> >
> > -
> > To unsubscribe, e-mail: [EMAIL PROTECTED]
> > For additional commands, e-mail: [EMAIL PROTECTED]
> >
>
> _
>
_
RE: Form Based Authenticattion - j_security_check does not redirect from http to https
Hello, Have you tried adding "j_security_check" to your web.xml for patterns which should be redirected to SSL? Regards, Justin > Date: Tue, 9 Dec 2008 00:17:36 -0800 > From: [EMAIL PROTECTED] > To: users@tomcat.apache.org > Subject: Form Based Authenticattion - j_security_check does not redirect from > http to https > > > Hi, > > > > I am using Apache Tomcat Version 5.5.2. I am running it on Windows XP > Professional Service Pack 2. > > > > I have a form based authentication for my application: > > > > […] > > > > FORM > > Authentication Area > > > > /login.jsp > > /login.jsp?action=error > > > > > > […] > > > > > > Also, I have redirected all my requests for port-80 to port-443. So, > whenever I try to open a page in http, it automatically gets redirected to > https. This is working fine for all the pages. > > > > Except, when I open the http://localhost//j_security_check page it > does not get redirected and stays on http. This is the only page showing > this deviation in behavior. > > For example, the http://localhost//security_check page gets > redirected to https, and the same goes for my login page and all other pages > in my app. > > > > Is this a known issue or is there a configuration that I am unaware of. > > > > Thanks a lot. > > > -- > View this message in context: > http://www.nabble.com/Form-Based-Authenticattion---j_security_check-does-not-redirect-from-http-to-https-tp20910454p20910454.html > Sent from the Tomcat - User mailing list archive at Nabble.com. > > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > _
