OK, So I found that I can access my servlet if I don't use the RequestDispatcher .forward method. In other words, when I try and access my page (e.g.: http://localhost:8080/dev/servlet/ProtectedPage) I get a login JSP form that I specified. When I login successfully,the login page reappears when, in my ProtectedPage servlet, I use the RequestDispatcher .forward method instead of using a PrintWriter to send back the response. Why can I not use the RequestDispatcher, if I can, how???
Below is some code. Web.xml <security-constraint> <display-name>Example Security Constraint</display-name> <web-resource-collection> <web-resource-name>Protected Area</web-resource-name> <!-- Define the context-relative URL(s) to be protected --> <url-pattern>/servlet/*</url-pattern> <url-pattern>/jsp/security/*</url-pattern> <!-- If you list http methods, only those methods are protected --> <http-method>DELETE</http-method> <http-method>GET</http-method> <http-method>POST</http-method> <http-method>PUT</http-method> </web-resource-collection> <auth-constraint> <!-- Anyone with one of the listed roles may access this area --> <role-name>user</role-name> <role-name>tomcat</role-name> </auth-constraint> </security-constraint> <!-- Default login configuration uses form-based authentication --> <login-config> <auth-method>FORM</auth-method> <realm-name>Example Form-Based Authentication Area</realm-name> <form-login-config> <form-login-page>/jsp/security/login.jsp</form-login-page> <form-error-page>/jsp/security/error.jsp</form-error-page> </form-login-config> </login-config> ProtectedPage.java public class ProtectedPage extends HttpServlet { // Default constructor public ProtectedPage() { super(); } public void doGet(HttpServletRequest request, HttpServletResponse response) { performTask(request, response); } public void doPost(HttpServletRequest request, HttpServletResponse response) { performTask(request, response); } public void performTask(HttpServletRequest request, HttpServletResponse response) { try { String jspPage = "index.jsp"; RequestDispatcher rd = getServletContext().getRequestDispatcher("/jsp/security/" + jspPage); rd.forward(request, response); } catch(Exception e) { e.printStackTrace(); } } } index.jsp <html> <head> <title>Protected Page for Examples</title> </head> <body bgcolor="white"> You are logged in as remote user <b><%= request.getRemoteUser() %></b> in session <b><%= session.getId() %></b><br><br> <% if (request.getUserPrincipal() != null) { %> Your user principal name is <b><%= request.getUserPrincipal().getName() %></b><br><br> <% } else { %> No user principal could be identified.<br><br> <% } %> <% String role = request.getParameter("role"); if (role == null) role = ""; if (role.length() > 0) { if (request.isUserInRole(role)) { %> You have been granted role <b><%= role %></b><br><br> <% } else { %> You have <i>not</i> been granted role <b><%= role %></b><br><br> <% } } %> </body> </html> Kevin Andryc Web Systems Engineer MISER http://www.umass.edu/miser/ Phone: (413)-545-3460 [EMAIL PROTECTED] -----Original Message----- From: John Gregg [mailto:[EMAIL PROTECTED]] Sent: Tuesday, July 02, 2002 04:48 PM To: 'Tomcat Users List' Subject: RE: j_security_check question No can do-ski. The container needs to know where to send the user upon successful authentication, but if your application presents a form to a user that gets submitted to j_security_check, the Tomcat authentication stuff won't know where to send the user when the operation completes. Your web.xml and login.jsp look ok. You just don't want your application to serve a page that goes to j_security_check directly. Instead, Tomcat decides automagically when you need to login. It then inserts itself into the application flow by remembering where the user was trying to go, sending the login page that you specify, then redirecting (or forwarding?) the user to that place upon successful login. Before using container-managed security I was so used to creating AND SERVING my own login pages that it took a while to wrap my brain around the fact that I no longer had to do stuff like "if (req.getSession(false)) == null) then send login page...." Just code your servlet to do what you want and let Tomcat worry about when/if to present the login page. The URL you'll access will be the servlet or jsp that kicks off your business logic, not the login logic. john -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]. org]On Behalf Of Kevin Andryc Sent: Tuesday, July 02, 2002 1:40 PM To: Tomcat Users List; [EMAIL PROTECTED] Subject: RE: j_security_check question CustomLogin.class is a resource at a protected URL which also contains the login form. So here is how it works (or how I would like it to work). I have a CustomLogin class: CustomLogin.class (located in /dev/WEB-INF/classes/) public class CustomLogin extends HttpServlet { public CustomLogin() { super(); } public void doGet(HttpServletRequest request, HttpServletResponse response) { performTask(request, response); } public void doPost(HttpServletRequest request, HttpServletResponse response) { performTask(request, response); } public void performTask(HttpServletRequest request, HttpServletResponse response) { try { String jspPage = "login.jsp"; RequestDispatcher rd = getServletContext().getRequestDispatcher("/jsp/security/" + jspPage); rd.forward(request, response); } catch(Exception e) { e.printStackTrace(); } } } login.jsp (located in /dev/jsp/security/) <html> <head> <title>Login Page for Examples</title> <body bgcolor="white"> <form method="POST" action='<%= response.encodeURL("j_security_check") %>' > <table border="0" cellspacing="5"> <tr> <th align="right">Username:</th> <td align="left"><input type="text" name="j_username"></td> </tr> <tr> <th align="right">Password:</th> <td align="left"><input type="password" name="j_password"></td> </tr> <tr> <td align="right"><input type="submit" value="Log In"></td> <td align="left"><input type="reset"></td> </tr> </table> </form> </body> </html> web.xml <security-constraint> <display-name>Example Security Constraint</display-name> <web-resource-collection> <web-resource-name>Protected Area</web-resource-name> <!-- Define the context-relative URL(s) to be protected --> <url-pattern>/servlet/*</url-pattern> <!-- If you list http methods, only those methods are protected --> <http-method>DELETE</http-method> <http-method>GET</http-method> <http-method>POST</http-method> <http-method>PUT</http-method> </web-resource-collection> <auth-constraint> <!-- Anyone with one of the listed roles may access this area --> <role-name>user</role-name> </auth-constraint> </security-constraint> <!-- Default login configuration uses form-based authentication --> <login-config> <auth-method>FORM</auth-method> <realm-name>Example Form-Based Authentication Area</realm-name> <form-login-config> <form-login-page>/servlet/CustomLogin</form-login-page> <form-error-page>/jsp/security/error.jsp</form-error-page> </form-login-config> </login-config> The user will type in the URL: http://localhost:8080/dev/servlet/CustomLogin. The login form does appear. But once I enter the login information (username and password) the "Invalid direct reference to form login page" appears. What I want it to have the user type in http://localhost:8080/dev/servlet/CustomLogin and login. If they are successful, then it should then direct them to the CustomLogin servlet so I can get the user information and customize the page according to who is logged in. I hope this makes sense. I just can't seem to get it to work or how to make it work. Thanks, Kevin Kevin Andryc Web Systems Engineer MISER http://www.umass.edu/miser/ Phone: (413)-545-3460 [EMAIL PROTECTED] -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]> -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>