By the way, you can post HTML code there, you have to put it in [CODE] blocks, rather than [QUOTE] blocks which you tried.
Adam
On 03/29/2004 12:30 PM Martin Alley wrote:
No formal bug report yet.
The current state of play is at http://www.jboss.org/index.html?module=bb&op=viewtopic&t=47595
If you would like to add your weight to this observation...
Thanks Martin
-----Original Message-----
From: Adam Hardy [mailto:[EMAIL PROTECTED] Sent: 29 March 2004 09:17
To: Tomcat Users List
Subject: Re: post data through form based authentication example?
Hmm. You're right. I just tested it on my JBoss (running 3.2.4RC1 with tomcat 5.0.19) and I got the same effect. Rats! This is not good. Trying
to get info out of JBoss is like trying to get blood out of a stones. I assume there's a bug report? I haven't looked at JBoss's bugzilla yet.
On 03/29/2004 01:10 AM Martin Alley wrote:
After further testing, I believe this is a bug specific to the JBoss environment (both 3.2.3 and 3.2.4RC1)
Martin
-----Original Message-----
From: Martin Alley [mailto:[EMAIL PROTECTED] Sent: 28 March 2004 15:24
To: 'Tomcat Users List'
Subject: RE: post data through form based authentication example?
The updated web.xml below now correctly lists the required
security-role
tags, but the only effect was to bring the form.html resource into the secured area (ie login is requested before accessing this page now),
so
I have also modified web.xml to put form.html *outside* the secured
area
- thus still requiring post data to transition the form based logon.
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE web-app PUBLIC "-//Sun Microsystems, Inc.//DTD Web
Application
2.3//EN" "http://java.sun.com/dtd/web-app_2_3.dtd";> <web-app > <session-config> <session-timeout>2</session-timeout> </session-config> <security-constraint> <web-resource-collection> <web-resource-name>Signon</web-resource-name> <description>Declarative security tests</description> <!--url-pattern>/form.html</url-pattern--> <url-pattern>/process.jsp</url-pattern> <http-method>HEAD</http-method> <http-method>GET</http-method> <http-method>POST</http-method> <http-method>PUT</http-method> <http-method>DELETE</http-method> </web-resource-collection> <auth-constraint> <role-name>customer</role-name> <role-name>merchant</role-name> <role-name>admin</role-name> </auth-constraint> <user-data-constraint> <description>no description</description> <transport-guarantee>NONE</transport-guarantee> </user-data-constraint> </security-constraint>
<login-config> <auth-method>FORM</auth-method> <form-login-config> <form-login-page>/login.html</form-login-page> <form-error-page>/login.html</form-error-page> </form-login-config> </login-config>
<security-role><role-name>customer</role-name></security-role> <security-role><role-name>merchant</role-name></security-role> <security-role><role-name>admin</role-name></security-role> </web-app>
I can't see the point of protecting the POST method if the data fails
to
transition.
Has anyone got a working example of this?
Thanks Martin
-----Original Message-----
From: Martin Alley [mailto:[EMAIL PROTECTED] Sent: 27 March 2004 09:47
To: 'Tomcat Users List'
Subject: RE: post data through form based authentication example?
I forgot to mention it's behaviour!!
Basically when the is no security constraint, it works. When there is
a
security constraint, the post data gets killed.
Martin
-----Original Message-----
From: Martin Alley [mailto:[EMAIL PROTECTED] Sent: 27 March 2004 09:43
To: 'Tomcat Users List'
Subject: RE: post data through form based authentication example?
Hi Adam,
I've put together a simple test for posting to a secured resource
which
seems to throw up a problem. Included files are the web app. Based
on
JBoss3.2.3 embedded tomcat4.1.
Martin
Index.html <html> <body> <a href="form.html">form</a> </body> </html>
form.html <html> <body> <form action="process.jsp" method="post"> <input type="text" name="text1"/> <input type="submit" value="OK"/> </form> </body> </html>
login.html <html> <body> <h4>Please login:</h4> <form method="POST" action="j_security_check"> <input type="text" name="j_username"> <input type="password" name="j_password"> <input type="submit" value="OK"> </form> </body> </html>
process.jsp <html> <body> text1=<%=request.getParameter("text1")%> </body> </html>
WEB-INF\web.xml <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE web-app PUBLIC "-//Sun Microsystems, Inc.//DTD Web
Application
2.3//EN" "http://java.sun.com/dtd/web-app_2_3.dtd";>
<web-app >
<session-config> <session-timeout>2</session-timeout> </session-config>
<security-constraint> <web-resource-collection> <web-resource-name>Signon</web-resource-name> <description>Declarative security tests</description> <url-pattern>/form.html</url-pattern> <url-pattern>/process.jsp</url-pattern> <http-method>HEAD</http-method> <http-method>GET</http-method> <http-method>POST</http-method> <http-method>PUT</http-method> <http-method>DELETE</http-method> </web-resource-collection> <auth-constraint> <role-name>customer</role-name> <role-name>merchant</role-name> <role-name>admin</role-name> </auth-constraint> <user-data-constraint> <description>no description</description> <transport-guarantee>NONE</transport-guarantee> </user-data-constraint> </security-constraint>
<login-config> <auth-method>FORM</auth-method> <form-login-config> <form-login-page>/login.html</form-login-page> <form-error-page>/login.html</form-error-page> </form-login-config> </login-config>
</web-app>
WEB-INF\jboss-web.xml <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE jboss-web PUBLIC "-//JBoss//DTD Web Application 2.3//EN" "http://www.jboss.org/j2ee/dtd/jboss-web_3_0.dtd";>
<jboss-web>
<security-domain>java:/jaas/authtest</security-domain>
<!-- Resource Environment References -->
<!-- Resource references -->
<!-- EJB References -->
</jboss-web>
-----Original Message-----
From: Adam Hardy [mailto:[EMAIL PROTECTED] Sent: 25 March 2004 15:10
To: Tomcat Users List
Subject: Re: post data through form based authentication example?
Martin,
I would check your problem again. That is not the normal behaviour of the container-managed login. It will cache the original request during
the login and send it on to the originally requested URL.
Adam
On 03/25/2004 02:45 PM Martin Alley wrote:
Hi,
Has any one got an example of a servlet secured with form based authentication, where the request to the servlet is posted, from
outside
the secured area?
My actual situation is I already have a web application with form
based
auth working fine, but I have a problem when the user is at a web
form,
about to post the data when their session times out. Then they submit the form, get sent to the login page, and then the on to the original form processing servlet. However the post data is now lost.
I am using tomcat4.1 as bundled with JBoss 3.2.3 and the coyote connector.
Thanks in advance Martin PS I have also posted to JBoss
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
-- struts 1.1 + tomcat 5.0.16 + java 1.4.2 Linux 2.4.20 Debian
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
