Re: HTTP 400 with Form based authentication

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Sreyan, On 9/9/15 9:45 AM, Christopher Schultz wrote: > On 9/7/15 2:17 PM, Sreyan Chakravarty wrote: >> I have found the cause of the problem. It seems that there is no >> null checking in the DataSourceRealm in Tomcat. What I mean is >> that if a

Re: HTTP 400 with Form based authentication

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Sreyan, On 9/7/15 9:56 AM, Sreyan Chakravarty wrote: > I did what you said. That is pointing the web browser to a > protected resource without authentication and then logging in. It > works perfectly IF AND ONLY IF the credentials are ABSOLUTELY >

Re: HTTP 400 with Form based authentication

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Sreyan, On 9/7/15 2:17 PM, Sreyan Chakravarty wrote: > I have found the cause of the problem. It seems that there is no > null checking in the DataSourceRealm in Tomcat. What I mean is that > if a particular user does not exist in the database and

Re: HTTP 400 with Form based authentication

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Sreyan, On 9/9/15 12:49 PM, Sreyan Chakravarty wrote: > Okay can you please guide me on how to log the bug. That would be > great. If possible you could do it yourself also. 1. Register for Bugzilla at bz.apache.org 2. Fill-out this form:

Re: HTTP 400 with Form based authentication

Okay can you please guide me on how to log the bug. That would be great. If possible you could do it yourself also. And as far as opinions go I really don't know. The whole process of Realms seem confusing to me and its overtly complicated. Thanks for testing out the issue. On Wed, Sep 9, 2015

Re: HTTP 400 with Form based authentication

Hi. I have notv really followed this thread from the beginning, but maybe I can contribute something here.. On 07.09.2015 15:56, Sreyan Chakravarty wrote: .. Also can I webapp have different realms ? If so how do you distinguish them ? I was looking at the RealmBase source and I haven't

Re: HTTP 400 with Form based authentication

I did what you said. That is pointing the web browser to a protected resource without authentication and then logging in. It works perfectly IF AND ONLY IF the credentials are ABSOLUTELY correct. Otherwise I am getting undefined behavior an thats where I need your help now. First-: If I provide

Re: HTTP 400 with Form based authentication

Yes but what happens when the user passes a user-id that is not present in the DB. Or a password that is incorrect. How would the server handle that ? If I pass an incorrect user I am getting a NPE. And if I pass an invalid password but a valid user a am not being redirected to the

Re: HTTP 400 with Form based authentication

I have found the cause of the problem. It seems that there is no null checking in the DataSourceRealm in Tomcat. What I mean is that if a particular user does not exist in the database and is credentials are returned as a null string then no null checking is specified. I would like to open this

Re: HTTP 400 with Form based authentication

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Sreyan, On 8/31/15 3:20 PM, Sreyan Chakravarty wrote: > Ok I found FormAuthenticator and landingPage attribute in it in the > source. You shouldn't need to look at the source. > But how do I use that in my application ? What do I do ? You

Re: HTTP 400 with Form based authentication

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Sreyan, On 8/31/15 3:16 PM, Sreyan Chakravarty wrote: > Well Christopher thanks for that eye opener. I didn't know that the > specs were so inconsistent. They aren't inconsistent... it's just that they don't cover a popular use case. Remember that

Re: HTTP 400 with Form based authentication

I don't understand where did I request the login page directly ? I just put as index.jsp and and the error page as index.jsp?error=true. So where is my error ? On Sun, Aug 30, 2015 at 9:54 PM, Mark Thomas wrote: > On 29/08/2015 22:16, Sreyan Chakravarty wrote: > > Okay this

Re: HTTP 400 with Form based authentication

Wait I am sure I am going wrong in a fundamental area. My security constraint is as follow-: TECHERS /teacher/success.jsp GET POST TEACHER FORM /index.jsp

RE: HTTP 400 with Form based authentication

> From: Sreyan Chakravarty [mailto:sreyan.mail...@gmail.com] > Subject: Re: HTTP 400 with Form based authentication > My security constraint is as follow-: > > FORM > > /index.jsp > /index.jsp?error=true > >

Re: HTTP 400 with Form based authentication

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Sreyan, On 8/31/15 12:34 PM, Sreyan Chakravarty wrote: > Wait I am sure I am going wrong in a fundamental area. > > My security constraint is as follow-: > > > TECHERS > /teacher/success.jsp > GET POST > > > TEACHER > > > FORM >

Re: HTTP 400 with Form based authentication

First of all I did read the Servlet Spec, it provided no hint as to what I was doing wrong. So you are saying that I can't have a login form on the page when the welcome page ? Why not ? Tons of site have just that, like Twitter and Facebook. It seems weird why I can't have it on my welcome page.

Re: HTTP 400 with Form based authentication

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Sreyan, On 8/31/15 1:39 PM, Sreyan Chakravarty wrote: > First of all I did read the Servlet Spec, it provided no hint as to > what I was doing wrong. > > So you are saying that I can't have a login form on the page when > the welcome page ? Why

Re: HTTP 400 with Form based authentication

On 31/08/2015 18:49, Christopher Schultz wrote: > Really the only thing the servlet spec is missing is a setting in > like or something like that, so > that if you try to login with j_security_check and you hadn't already > requested a protected resource, the container knows where to send the >

Re: HTTP 400 with Form based authentication

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Mark, On 8/31/15 2:01 PM, Mark Thomas wrote: > On 31/08/2015 18:49, Christopher Schultz wrote: > >> Really the only thing the servlet spec is missing is a setting >> in like or something like >> that, so that if you try to login with

Re: HTTP 400 with Form based authentication

Well Christopher thanks for that eye opener. I didn't know that the specs were so inconsistent. Okay now regarding your comment-: "Servlet 3.0 added the HttpServletRequest.login() method would improved the situation greatly: you can implement your own login handler that plugs-into the

Re: HTTP 400 with Form based authentication

Ok I found FormAuthenticator and landingPage attribute in it in the source. But how do I use that in my application ? What do I do ? Any documentation for this ? On Tue, Sep 1, 2015 at 12:46 AM, Sreyan Chakravarty < sreyan.mail...@gmail.com> wrote: > Well Christopher thanks for that eye opener.

Re: HTTP 400 with Form based authentication

On 31/08/2015 07:00, Sreyan Chakravarty wrote: > I don't understand where did I request the login page directly ? I just put > as index.jsp and and the error page as > index.jsp?error=true. > > So where is my error ? Did you request '/teacher/success.jsp' ? No, you did not. Did you request

Re: HTTP 400 with Form based authentication

On 29/08/2015 22:16, Sreyan Chakravarty wrote: Okay this is my first try at container based authentication using Realms in Tomcat. And things have gone wrong. Here is my login page -: snip/ My web.xml security configuration is -: security-constraint web-resource-collection