The updated web.xml below now correctly lists the required security-role tags, but the only effect was to bring the form.html resource into the secured area (ie login is requested before accessing this page now), so I have also modified web.xml to put form.html *outside* the secured area - thus still requiring post data to transition the form based logon.
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE web-app PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN" "http://java.sun.com/dtd/web-app_2_3.dtd";> <web-app > <session-config> <session-timeout>2</session-timeout> </session-config> <security-constraint> <web-resource-collection> <web-resource-name>Signon</web-resource-name> <description>Declarative security tests</description> <!--url-pattern>/form.html</url-pattern--> <url-pattern>/process.jsp</url-pattern> <http-method>HEAD</http-method> <http-method>GET</http-method> <http-method>POST</http-method> <http-method>PUT</http-method> <http-method>DELETE</http-method> </web-resource-collection> <auth-constraint> <role-name>customer</role-name> <role-name>merchant</role-name> <role-name>admin</role-name> </auth-constraint> <user-data-constraint> <description>no description</description> <transport-guarantee>NONE</transport-guarantee> </user-data-constraint> </security-constraint> <login-config> <auth-method>FORM</auth-method> <form-login-config> <form-login-page>/login.html</form-login-page> <form-error-page>/login.html</form-error-page> </form-login-config> </login-config> <security-role><role-name>customer</role-name></security-role> <security-role><role-name>merchant</role-name></security-role> <security-role><role-name>admin</role-name></security-role> </web-app> I can't see the point of protecting the POST method if the data fails to transition. Has anyone got a working example of this? Thanks Martin -----Original Message----- From: Martin Alley [mailto:[EMAIL PROTECTED] Sent: 27 March 2004 09:47 To: 'Tomcat Users List' Subject: RE: post data through form based authentication example? I forgot to mention it's behaviour!! Basically when the is no security constraint, it works. When there is a security constraint, the post data gets killed. Martin -----Original Message----- From: Martin Alley [mailto:[EMAIL PROTECTED] Sent: 27 March 2004 09:43 To: 'Tomcat Users List' Subject: RE: post data through form based authentication example? Hi Adam, I've put together a simple test for posting to a secured resource which seems to throw up a problem. Included files are the web app. Based on JBoss3.2.3 embedded tomcat4.1. Martin Index.html <html> <body> <a href="form.html">form</a> </body> </html> form.html <html> <body> <form action="process.jsp" method="post"> <input type="text" name="text1"/> <input type="submit" value="OK"/> </form> </body> </html> login.html <html> <body> <h4>Please login:</h4> <form method="POST" action="j_security_check"> <input type="text" name="j_username"> <input type="password" name="j_password"> <input type="submit" value="OK"> </form> </body> </html> process.jsp <html> <body> text1=<%=request.getParameter("text1")%> </body> </html> WEB-INF\web.xml <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE web-app PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN" "http://java.sun.com/dtd/web-app_2_3.dtd";> <web-app > <session-config> <session-timeout>2</session-timeout> </session-config> <security-constraint> <web-resource-collection> <web-resource-name>Signon</web-resource-name> <description>Declarative security tests</description> <url-pattern>/form.html</url-pattern> <url-pattern>/process.jsp</url-pattern> <http-method>HEAD</http-method> <http-method>GET</http-method> <http-method>POST</http-method> <http-method>PUT</http-method> <http-method>DELETE</http-method> </web-resource-collection> <auth-constraint> <role-name>customer</role-name> <role-name>merchant</role-name> <role-name>admin</role-name> </auth-constraint> <user-data-constraint> <description>no description</description> <transport-guarantee>NONE</transport-guarantee> </user-data-constraint> </security-constraint> <login-config> <auth-method>FORM</auth-method> <form-login-config> <form-login-page>/login.html</form-login-page> <form-error-page>/login.html</form-error-page> </form-login-config> </login-config> </web-app> WEB-INF\jboss-web.xml <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE jboss-web PUBLIC "-//JBoss//DTD Web Application 2.3//EN" "http://www.jboss.org/j2ee/dtd/jboss-web_3_0.dtd";> <jboss-web> <security-domain>java:/jaas/authtest</security-domain> <!-- Resource Environment References --> <!-- Resource references --> <!-- EJB References --> </jboss-web> -----Original Message----- From: Adam Hardy [mailto:[EMAIL PROTECTED] Sent: 25 March 2004 15:10 To: Tomcat Users List Subject: Re: post data through form based authentication example? Martin, I would check your problem again. That is not the normal behaviour of the container-managed login. It will cache the original request during the login and send it on to the originally requested URL. Adam On 03/25/2004 02:45 PM Martin Alley wrote: > Hi, > > Has any one got an example of a servlet secured with form based > authentication, where the request to the servlet is posted, from outside > the secured area? > > My actual situation is I already have a web application with form based > auth working fine, but I have a problem when the user is at a web form, > about to post the data when their session times out. Then they submit > the form, get sent to the login page, and then the on to the original > form processing servlet. However the post data is now lost. > > I am using tomcat4.1 as bundled with JBoss 3.2.3 and the coyote > connector. > > Thanks in advance > Martin > PS I have also posted to JBoss > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > -- struts 1.1 + tomcat 5.0.16 + java 1.4.2 Linux 2.4.20 Debian --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
