Re: Keep having to login with container based authentaction.
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Dean, On 8/20/2009 8:14 AM, Dean Chester wrote: Ok ive discovered that they are not staying the same between clicks. I'm now going to look at encoding urls now. You should always encode your URLs. To test that your webapp is working in general, you should enable cookies on your web browser (which is probably why everything stopped working in the first place). It's also possible that an HTTP proxy is removing cookies on your behalf (to enforce a site policy, perhaps). - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkqO4f8ACgkQ9CaO5/Lv0PA+6ACfW0DVRfzmCaxK8goUUOTuNQzg AXoAoIrBkelTxnQewFEsVO9J2efOCSjc =gI4K -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Keep having to login with container based authentaction.
On 20/08/2009 10:40, Dean Chester wrote: Hi, I've written my application using j_security_check yet i keep having to log in in the restricted area. Has anyone else experienced this? Yep. I have to log in each time I want to use our app - it's a side effect of implementing security. Or is your question referring to a less vague and more specific issue? Because it works with a small amount of JSPs and then when i implement it all in to my application it doesn't work. I might need to warm up my Internet Telepathy(tm) without some more information... Where am i most likely going wrong? Not telling us your Tomcat version, JVM version, OS version... p Thanks in advance Dean - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Keep having to login with container based authentaction.
Sorry Tomcat 6.20, Red Hat Enterprise edition 4 i think. java 1.6. And i mean once logged in i have to login again after clicking on a link in the restricted area. Dean On Thu, Aug 20, 2009 at 11:23 AM, Pid p...@pidster.com wrote: On 20/08/2009 10:40, Dean Chester wrote: Hi, I've written my application using j_security_check yet i keep having to log in in the restricted area. Has anyone else experienced this? Yep. I have to log in each time I want to use our app - it's a side effect of implementing security. Or is your question referring to a less vague and more specific issue? Because it works with a small amount of JSPs and then when i implement it all in to my application it doesn't work. I might need to warm up my Internet Telepathy(tm) without some more information... Where am i most likely going wrong? Not telling us your Tomcat version, JVM version, OS version... p Thanks in advance Dean - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Keep having to login with container based authentaction.
On 20/08/2009 11:55, Dean Chester wrote: Sorry Tomcat 6.20, Red Hat Enterprise edition 4 i think. java 1.6. And i mean once logged in i have to login again after clicking on a link in the restricted area. Dean You don't need to reply-to-all, just to the list. I'm obviously on the mailing list, so I'll get the message anyway - I don't need it twice. /myapp/index.jsp /myapp/secure/index.jsp /myapp/secure/page2.jsp So you're logging into the secure area, and trying to view, e.g. page2.jsp from a link on the e.g. index.jsp page? Do the logs have any errors in them? If so, what are they? Are you encoding all of the URLs properly? How long between clicks? What is the session timeout in your web.xml? How have you defined the security-constraint in web.xml? Which Realm are you using? Perhaps you could post a little bit more information? p On Thu, Aug 20, 2009 at 11:23 AM, Pid p...@pidster.com mailto:p...@pidster.com wrote: On 20/08/2009 10:40, Dean Chester wrote: Hi, I've written my application using j_security_check yet i keep having to log in in the restricted area. Has anyone else experienced this? Yep. I have to log in each time I want to use our app - it's a side effect of implementing security. Or is your question referring to a less vague and more specific issue? Because it works with a small amount of JSPs and then when i implement it all in to my application it doesn't work. I might need to warm up my Internet Telepathy(tm) without some more information... Where am i most likely going wrong? Not telling us your Tomcat version, JVM version, OS version... p Thanks in advance Dean - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org mailto:users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org mailto:users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Keep having to login with container based authentaction.
Sorry about that. Yes i have a index page in the restricted area that has links to other restricted jsps. The Logs are not reporting anything. How do you mean encode your urls? I haven't set a time out in the web.xml file so its using the default. The time between clicks is usually about 1-2 seconds. Here is some of my web.xml file: security-constraint web-resource-collection web-resource-nameusers/web-resource-name url-pattern/add/*/url-pattern /web-resource-collection auth-constraint role-nameuser/role-name role-nameadmin/role-name /auth-constraint /security-constraint security-constraint web-resource-collection web-resource-nameadmin/web-resource-name url-pattern/admin/*/url-pattern /web-resource-collection auth-constraint role-nameadmin/role-name /auth-constraint /security-constraint login-config auth-methodFORM/auth-method form-login-config form-login-page/login.jsp/form-login-page form-error-page/login-error.jsp/form-error-page /form-login-config /login-config security-role role-nameadmin/role-name /security-role security-role role-nameuser/role-name /security-role I am using the default realm which i know works. Dean On Thu, Aug 20, 2009 at 12:19 PM, Pid p...@pidster.com wrote: On 20/08/2009 11:55, Dean Chester wrote: Sorry Tomcat 6.20, Red Hat Enterprise edition 4 i think. java 1.6. And i mean once logged in i have to login again after clicking on a link in the restricted area. Dean You don't need to reply-to-all, just to the list. I'm obviously on the mailing list, so I'll get the message anyway - I don't need it twice. /myapp/index.jsp /myapp/secure/index.jsp /myapp/secure/page2.jsp So you're logging into the secure area, and trying to view, e.g. page2.jsp from a link on the e.g. index.jsp page? Do the logs have any errors in them? If so, what are they? Are you encoding all of the URLs properly? How long between clicks? What is the session timeout in your web.xml? How have you defined the security-constraint in web.xml? Which Realm are you using? Perhaps you could post a little bit more information? p On Thu, Aug 20, 2009 at 11:23 AM, Pid p...@pidster.com mailto:p...@pidster.com wrote: On 20/08/2009 10:40, Dean Chester wrote: Hi, I've written my application using j_security_check yet i keep having to log in in the restricted area. Has anyone else experienced this? Yep. I have to log in each time I want to use our app - it's a side effect of implementing security. Or is your question referring to a less vague and more specific issue? Because it works with a small amount of JSPs and then when i implement it all in to my application it doesn't work. I might need to warm up my Internet Telepathy(tm) without some more information... Where am i most likely going wrong? Not telling us your Tomcat version, JVM version, OS version... p Thanks in advance Dean - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org mailto:users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org mailto:users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Keep having to login with container based authentaction.
By default realm i mean the one that is set up in the server.xml and it is a JDBC Realm. Dean On Thu, Aug 20, 2009 at 12:36 PM, Dean Chester dean.g.ches...@googlemail.com wrote: Sorry about that. Yes i have a index page in the restricted area that has links to other restricted jsps. The Logs are not reporting anything. How do you mean encode your urls? I haven't set a time out in the web.xml file so its using the default. The time between clicks is usually about 1-2 seconds. Here is some of my web.xml file: security-constraint web-resource-collection web-resource-nameusers/web-resource-name url-pattern/add/*/url-pattern /web-resource-collection auth-constraint role-nameuser/role-name role-nameadmin/role-name /auth-constraint /security-constraint security-constraint web-resource-collection web-resource-nameadmin/web-resource-name url-pattern/admin/*/url-pattern /web-resource-collection auth-constraint role-nameadmin/role-name /auth-constraint /security-constraint login-config auth-methodFORM/auth-method form-login-config form-login-page/login.jsp/form-login-page form-error-page/login-error.jsp/form-error-page /form-login-config /login-config security-role role-nameadmin/role-name /security-role security-role role-nameuser/role-name /security-role I am using the default realm which i know works. Dean On Thu, Aug 20, 2009 at 12:19 PM, Pid p...@pidster.com wrote: On 20/08/2009 11:55, Dean Chester wrote: Sorry Tomcat 6.20, Red Hat Enterprise edition 4 i think. java 1.6. And i mean once logged in i have to login again after clicking on a link in the restricted area. Dean You don't need to reply-to-all, just to the list. I'm obviously on the mailing list, so I'll get the message anyway - I don't need it twice. /myapp/index.jsp /myapp/secure/index.jsp /myapp/secure/page2.jsp So you're logging into the secure area, and trying to view, e.g. page2.jsp from a link on the e.g. index.jsp page? Do the logs have any errors in them? If so, what are they? Are you encoding all of the URLs properly? How long between clicks? What is the session timeout in your web.xml? How have you defined the security-constraint in web.xml? Which Realm are you using? Perhaps you could post a little bit more information? p On Thu, Aug 20, 2009 at 11:23 AM, Pid p...@pidster.com mailto:p...@pidster.com wrote: On 20/08/2009 10:40, Dean Chester wrote: Hi, I've written my application using j_security_check yet i keep having to log in in the restricted area. Has anyone else experienced this? Yep. I have to log in each time I want to use our app - it's a side effect of implementing security. Or is your question referring to a less vague and more specific issue? Because it works with a small amount of JSPs and then when i implement it all in to my application it doesn't work. I might need to warm up my Internet Telepathy(tm) without some more information... Where am i most likely going wrong? Not telling us your Tomcat version, JVM version, OS version... p Thanks in advance Dean - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org mailto:users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org mailto:users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Keep having to login with container based authentaction.
On 20/08/2009 12:36, Dean Chester wrote: Sorry about that. Yes i have a index page in the restricted area that has links to other restricted jsps. The Logs are not reporting anything. How do you mean encode your urls? If you're being asked to log in every click, your session is probably not being preserved. The session ID is set in a cookie or by encoding the URL to include the session id: /path/to/page.jsp;jsessionid=00AF00?query=paramgo=here Most browsers have a variety of dev tools you can use to examine cookies, or response headers (e.g. Set-Cookie) to see if the cookie is being set properly. If it's not, you'll need to encode the URL so that it contains the session id. The servlet spec, (which of course you have read), has a handy method on the HttpServletResponse object which can do this. Encode each URL to ensure that the session id is preserved. a href=%= response.encodeURL(request.getContextPath() + '/path/to/page.jsp') % alt=a linkLinked text/a p P.S. There are tag libraries that exist to make this easier/less clumsy looking. I haven't set a time out in the web.xml file so its using the default. The time between clicks is usually about 1-2 seconds. Here is some of my web.xml file: security-constraint web-resource-collection web-resource-nameusers/web-resource-name url-pattern/add/*/url-pattern /web-resource-collection auth-constraint role-nameuser/role-name role-nameadmin/role-name /auth-constraint /security-constraint security-constraint web-resource-collection web-resource-nameadmin/web-resource-name url-pattern/admin/*/url-pattern /web-resource-collection auth-constraint role-nameadmin/role-name /auth-constraint /security-constraint login-config auth-methodFORM/auth-method form-login-config form-login-page/login.jsp/form-login-page form-error-page/login-error.jsp/form-error-page /form-login-config /login-config security-role role-nameadmin/role-name /security-role security-role role-nameuser/role-name /security-role I am using the default realm which i know works. Dean On Thu, Aug 20, 2009 at 12:19 PM, Pidp...@pidster.com wrote: On 20/08/2009 11:55, Dean Chester wrote: Sorry Tomcat 6.20, Red Hat Enterprise edition 4 i think. java 1.6. And i mean once logged in i have to login again after clicking on a link in the restricted area. Dean You don't need to reply-to-all, just to the list. I'm obviously on the mailing list, so I'll get the message anyway - I don't need it twice. /myapp/index.jsp /myapp/secure/index.jsp /myapp/secure/page2.jsp So you're logging into the secure area, and trying to view, e.g. page2.jsp from a link on the e.g. index.jsp page? Do the logs have any errors in them? If so, what are they? Are you encoding all of the URLs properly? How long between clicks? What is the session timeout in your web.xml? How have you defined thesecurity-constraint in web.xml? Which Realm are you using? Perhaps you could post a little bit more information? p On Thu, Aug 20, 2009 at 11:23 AM, Pidp...@pidster.com mailto:p...@pidster.com wrote: On 20/08/2009 10:40, Dean Chester wrote: Hi, I've written my application using j_security_check yet i keep having to log in in the restricted area. Has anyone else experienced this? Yep. I have to log in each time I want to use our app - it's a side effect of implementing security. Or is your question referring to a less vague and more specific issue? Because it works with a small amount of JSPs and then when i implement it all in to my application it doesn't work. I might need to warm up my Internet Telepathy(tm) without some more information... Where am i most likely going wrong? Not telling us your Tomcat version, JVM version, OS version... p Thanks in advance Dean - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org mailto:users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org mailto:users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Keep having to login with container based authentaction.
On 20/08/2009 12:40, Dean Chester wrote: By default realm i mean the one that is set up in the server.xml and it is a JDBC Realm. Which'll do for testing, but you should use a DataSourceRealm for production. p Dean On Thu, Aug 20, 2009 at 12:36 PM, Dean Chester dean.g.ches...@googlemail.com wrote: Sorry about that. Yes i have a index page in the restricted area that has links to other restricted jsps. The Logs are not reporting anything. How do you mean encode your urls? I haven't set a time out in the web.xml file so its using the default. The time between clicks is usually about 1-2 seconds. Here is some of my web.xml file: security-constraint web-resource-collection web-resource-nameusers/web-resource-name url-pattern/add/*/url-pattern /web-resource-collection auth-constraint role-nameuser/role-name role-nameadmin/role-name /auth-constraint /security-constraint security-constraint web-resource-collection web-resource-nameadmin/web-resource-name url-pattern/admin/*/url-pattern /web-resource-collection auth-constraint role-nameadmin/role-name /auth-constraint /security-constraint login-config auth-methodFORM/auth-method form-login-config form-login-page/login.jsp/form-login-page form-error-page/login-error.jsp/form-error-page /form-login-config /login-config security-role role-nameadmin/role-name /security-role security-role role-nameuser/role-name /security-role I am using the default realm which i know works. Dean On Thu, Aug 20, 2009 at 12:19 PM, Pidp...@pidster.com wrote: On 20/08/2009 11:55, Dean Chester wrote: Sorry Tomcat 6.20, Red Hat Enterprise edition 4 i think. java 1.6. And i mean once logged in i have to login again after clicking on a link in the restricted area. Dean You don't need to reply-to-all, just to the list. I'm obviously on the mailing list, so I'll get the message anyway - I don't need it twice. /myapp/index.jsp /myapp/secure/index.jsp /myapp/secure/page2.jsp So you're logging into the secure area, and trying to view, e.g. page2.jsp from a link on the e.g. index.jsp page? Do the logs have any errors in them? If so, what are they? Are you encoding all of the URLs properly? How long between clicks? What is the session timeout in your web.xml? How have you defined thesecurity-constraint in web.xml? Which Realm are you using? Perhaps you could post a little bit more information? p On Thu, Aug 20, 2009 at 11:23 AM, Pidp...@pidster.com mailto:p...@pidster.com wrote: On 20/08/2009 10:40, Dean Chester wrote: Hi, I've written my application using j_security_check yet i keep having to log in in the restricted area. Has anyone else experienced this? Yep. I have to log in each time I want to use our app - it's a side effect of implementing security. Or is your question referring to a less vague and more specific issue? Because it works with a small amount of JSPs and then when i implement it all in to my application it doesn't work. I might need to warm up my Internet Telepathy(tm) without some more information... Where am i most likely going wrong? Not telling us your Tomcat version, JVM version, OS version... p Thanks in advance Dean - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org mailto:users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org mailto:users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Keep having to login with container based authentaction.
On 20/08/2009 13:00, Pid wrote: On 20/08/2009 12:36, Dean Chester wrote: Sorry about that. Yes i have a index page in the restricted area that has links to other restricted jsps. The Logs are not reporting anything. How do you mean encode your urls? If you're being asked to log in every click, your session is probably not being preserved. The session ID is set in a cookie or by encoding the URL to include the session id: /path/to/page.jsp;jsessionid=00AF00?query=paramgo=here Most browsers have a variety of dev tools you can use to examine cookies, or response headers (e.g. Set-Cookie) to see if the cookie is being set properly. If it's not, you'll need to encode the URL so that it contains the session id. The servlet spec, (which of course you have read), has a handy method on the HttpServletResponse object which can do this. Encode each URL to ensure that the session id is preserved. a href=%= response.encodeURL(request.getContextPath() + '/path/to/page.jsp') % alt=a linkLinked text/a p If you have a common footer, included in your JSPs you can add the session id to it, so you can see it on each page - it should not change between clicks if you've encoded URls properly. %= request.getSession().getId() % Or if you're using JSP Expression Language ${pageContext.session.id} p P.S. There are tag libraries that exist to make this easier/less clumsy looking. I haven't set a time out in the web.xml file so its using the default. The time between clicks is usually about 1-2 seconds. Here is some of my web.xml file: security-constraint web-resource-collection web-resource-nameusers/web-resource-name url-pattern/add/*/url-pattern /web-resource-collection auth-constraint role-nameuser/role-name role-nameadmin/role-name /auth-constraint /security-constraint security-constraint web-resource-collection web-resource-nameadmin/web-resource-name url-pattern/admin/*/url-pattern /web-resource-collection auth-constraint role-nameadmin/role-name /auth-constraint /security-constraint login-config auth-methodFORM/auth-method form-login-config form-login-page/login.jsp/form-login-page form-error-page/login-error.jsp/form-error-page /form-login-config /login-config security-role role-nameadmin/role-name /security-role security-role role-nameuser/role-name /security-role I am using the default realm which i know works. Dean On Thu, Aug 20, 2009 at 12:19 PM, Pidp...@pidster.com wrote: On 20/08/2009 11:55, Dean Chester wrote: Sorry Tomcat 6.20, Red Hat Enterprise edition 4 i think. java 1.6. And i mean once logged in i have to login again after clicking on a link in the restricted area. Dean You don't need to reply-to-all, just to the list. I'm obviously on the mailing list, so I'll get the message anyway - I don't need it twice. /myapp/index.jsp /myapp/secure/index.jsp /myapp/secure/page2.jsp So you're logging into the secure area, and trying to view, e.g. page2.jsp from a link on the e.g. index.jsp page? Do the logs have any errors in them? If so, what are they? Are you encoding all of the URLs properly? How long between clicks? What is the session timeout in your web.xml? How have you defined thesecurity-constraint in web.xml? Which Realm are you using? Perhaps you could post a little bit more information? p On Thu, Aug 20, 2009 at 11:23 AM, Pidp...@pidster.com mailto:p...@pidster.com wrote: On 20/08/2009 10:40, Dean Chester wrote: Hi, I've written my application using j_security_check yet i keep having to log in in the restricted area. Has anyone else experienced this? Yep. I have to log in each time I want to use our app - it's a side effect of implementing security. Or is your question referring to a less vague and more specific issue? Because it works with a small amount of JSPs and then when i implement it all in to my application it doesn't work. I might need to warm up my Internet Telepathy(tm) without some more information... Where am i most likely going wrong? Not telling us your Tomcat version, JVM version, OS version... p Thanks in advance Dean - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org mailto:users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org mailto:users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Keep having to login with container based authentaction.
Ok ive discovered that they are not staying the same between clicks. I'm now going to look at encoding urls now. Dean On Thu, Aug 20, 2009 at 1:06 PM, Pid p...@pidster.com wrote: On 20/08/2009 13:00, Pid wrote: On 20/08/2009 12:36, Dean Chester wrote: Sorry about that. Yes i have a index page in the restricted area that has links to other restricted jsps. The Logs are not reporting anything. How do you mean encode your urls? If you're being asked to log in every click, your session is probably not being preserved. The session ID is set in a cookie or by encoding the URL to include the session id: /path/to/page.jsp;jsessionid=00AF00?query=paramgo=here Most browsers have a variety of dev tools you can use to examine cookies, or response headers (e.g. Set-Cookie) to see if the cookie is being set properly. If it's not, you'll need to encode the URL so that it contains the session id. The servlet spec, (which of course you have read), has a handy method on the HttpServletResponse object which can do this. Encode each URL to ensure that the session id is preserved. a href=%= response.encodeURL(request.getContextPath() + '/path/to/page.jsp') % alt=a linkLinked text/a p If you have a common footer, included in your JSPs you can add the session id to it, so you can see it on each page - it should not change between clicks if you've encoded URls properly. %= request.getSession().getId() % Or if you're using JSP Expression Language ${pageContext.session.id} p P.S. There are tag libraries that exist to make this easier/less clumsy looking. I haven't set a time out in the web.xml file so its using the default. The time between clicks is usually about 1-2 seconds. Here is some of my web.xml file: security-constraint web-resource-collection web-resource-nameusers/web-resource-name url-pattern/add/*/url-pattern /web-resource-collection auth-constraint role-nameuser/role-name role-nameadmin/role-name /auth-constraint /security-constraint security-constraint web-resource-collection web-resource-nameadmin/web-resource-name url-pattern/admin/*/url-pattern /web-resource-collection auth-constraint role-nameadmin/role-name /auth-constraint /security-constraint login-config auth-methodFORM/auth-method form-login-config form-login-page/login.jsp/form-login-page form-error-page/login-error.jsp/form-error-page /form-login-config /login-config security-role role-nameadmin/role-name /security-role security-role role-nameuser/role-name /security-role I am using the default realm which i know works. Dean On Thu, Aug 20, 2009 at 12:19 PM, Pidp...@pidster.com wrote: On 20/08/2009 11:55, Dean Chester wrote: Sorry Tomcat 6.20, Red Hat Enterprise edition 4 i think. java 1.6. And i mean once logged in i have to login again after clicking on a link in the restricted area. Dean You don't need to reply-to-all, just to the list. I'm obviously on the mailing list, so I'll get the message anyway - I don't need it twice. /myapp/index.jsp /myapp/secure/index.jsp /myapp/secure/page2.jsp So you're logging into the secure area, and trying to view, e.g. page2.jsp from a link on the e.g. index.jsp page? Do the logs have any errors in them? If so, what are they? Are you encoding all of the URLs properly? How long between clicks? What is the session timeout in your web.xml? How have you defined thesecurity-constraint in web.xml? Which Realm are you using? Perhaps you could post a little bit more information? p On Thu, Aug 20, 2009 at 11:23 AM, Pidp...@pidster.com mailto:p...@pidster.com wrote: On 20/08/2009 10:40, Dean Chester wrote: Hi, I've written my application using j_security_check yet i keep having to log in in the restricted area. Has anyone else experienced this? Yep. I have to log in each time I want to use our app - it's a side effect of implementing security. Or is your question referring to a less vague and more specific issue? Because it works with a small amount of JSPs and then when i implement it all in to my application it doesn't work. I might need to warm up my Internet Telepathy(tm) without some more information... Where am i most likely going wrong? Not telling us your Tomcat version, JVM version, OS version... p Thanks in advance Dean - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org mailto:users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org mailto:users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For