My original Tomcat application already had a login.jsp which POSTs to a servlet which sets various session attributes after validating the user, password, active flag, etc. Now, I've been asked to let some managers create their own content which will be straight html, pdf's, spreadsheets, etc. I want to use form authentication to do this. I was able to set up a realm for SQL Server with no problems. My login.jsp is now only called when protected resources are accessed. This login page is NOT called directly anymore. The login page and any images on the login.jsp page are all outside of the protected areas.
Unfortunately I now get the "Invalid direct reference to form login page" error. Originally I tried have the servlet simply redirect to j_security_check and received this error. Then I figured that perhaps a form POST is actually required so I changed my code to use HttpClient and literally http/post to j_security_check. This produces the same error. If I intentionally pass a bad password to j_security_check then the redirect to the error form works as I would expect. When the correct user and password are passed to j_security_check the log records a successful authentication but returns a status code of 400 for the invalid direct reference error when the post to j_security_check is completed. A simple jsp with a form which posts directly to j_security_check without a servlet will redirect the user to the protected content as expected. Is what I am trying to do simply not possible? I've seen posts where others have presumably done this but I have had no success. I am running Tomcat 4.1.29 on Windows 2000 Server with a SQL Server 2000 database. I have the java 1.4.2 sdk installed. My login.jsp posts to a servlet with the following code used to post to j_security_check. username and password have been set to the request parameters. This is not currently using encoding during testing. Util.writeLog is just a class I have for debugging which does what it sounds like it does. ... I'm using the following libraries from http://jakarta.apache.org/commons/httpclient/index.html import org.apache.commons.httpclient.*; import org.apache.commons.httpclient.methods.*; ... HttpClient client = new HttpClient(); client.getHostConfiguration().setHost(req.getServerName(),req.getServerP ort(),req.getScheme()); Util.writeLog(client.getHostConfiguration().getHostURL()); PostMethod logPost = new PostMethod(req.getContextPath() + "/j_security_check"); NameValuePair user = new NameValuePair("j_username", username); NameValuePair pass = new NameValuePair("j_password", password); Util.writeLog("user=" + username + ",pass=" + password); logPost.setRequestBody(new NameValuePair[] { user, pass }); logPost.setFollowRedirects(true); client.executeMethod(logPost); logPost.releaseConnection(); int statusCode = logPost.getStatusCode(); Util.writeLog("status=" + statusCode + "," + logPost.getStatusText()); The status returned is 400 for the Invalid Direct Reference error so I never get any further. I originally tried a simple redirect to j_security_check with the same result. Is there a header I need to add? Is there a cookie I need to set? I could post my web.xml or server.xml but I don't think that will matter since the authentication works if I use a simple login.jsp with no servlet. My login.jsp just has the usual user and password in an html form but also has code to check to make sure the database is up before showing the login form. Am I going about this all wrong? Should I just chuck posting to the servlet from my login.jsp and come up with another way to do what I need? Any help would be appreciated. --- Bill Faulk --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]