Here is my app directory structure under Tomcat :
$TOMCAT_HOME
webapps
myApp
WEB-INF
....
The files I want secured are /do (instead of X.do, the
files appear as /do/X).
The other thing I'm seeing, as well as the login
issues mentioned previously, is the fact that if I
successfully login the first time into the site, close
my browser, and then try to authenticate with invalid
data, it logs me in correctly with the previous
attributes.
For example, say my valid login is
validLogin/validPass. If I try to auth the first time
into the site with validLogin/validPass it
authenticates correctly. However, if I close my
browser and try to go back in and authenticate with
garbagelogin/garbagepass (which doesn't exist in my
DB), it still authenticates me as
validLogin/validPass. This is not correct, and is
another symptom of something I'm doing incorrectly.
Has anyone else seen this type of behavior?
Dave, it seems like changing
<url-pattern>/do/*</url-pattern>
to
<url-pattern>*</url-pattern>
will make everything secure, which isn't the outcome I
am looking for...
Thanks for any info...
Quenten
--- David Brown <[EMAIL PROTECTED]> wrote:
> Quenten Van Egeren writes:
>
> > I'm having the following problem when using FORM
> based
> > authentication with Tomcat 4.1.12 :
> >
> > When I bring up a new browser window, and go to a
> > protected page (under /do/) I am redirected to the
> > login.jsp as I should be. If I enter the correct
> > username / password, I am logged in correctly and
> > forwarded back to the page I was trying to access.
>
> > This all works correctly.
> >
> > However, if I enter garbage for a username and
> > password, I am redirected to the error.jsp page,
> which
> > is also correct. I then click the link on the
> > error.jsp page that takes me back to the login.jsp
> > page and try to login again with a valid
> > username/password combo, and it instantly
> redirects me
> > back to the error.jsp page. This isn't correct
> (as
> > far as I can tell) since it should have
> successfully
> > authed me the second time into the page.
> >
> > I was wondering if anyone else had run into this
> > issue, or if there was something I was missing in
> one
> > of the config files or my web.xml file.
> >
> > I am also using struts, but I don't think that has
> > anything to do with this error, since it appears
> to be
> > a j_security_check setup issue somehow.
> >
> > Any help would be greatly appreciated.
> >
> > Thanks,
> >
> > Quenten
> >
> > Here is my code :
> >
> > +++++ my application web.xml +++++
> > <security-constraint>
> > <display-name>Security Constraint</display-name>
> > <web-resource-collection>
> > <web-resource-name>Protected
> Area</web-resource-name>
> > <url-pattern>/do/*</url-pattern>
> > <http-method>GET</http-method>
> > <http-method>POST</http-method>
> > <http-method>PUT</http-method>
> > </web-resource-collection>
> > <auth-constraint>
> > <role-name>eadmin</role-name>
> > <role-name>member</role-name>
> > </auth-constraint>
> > </security-constraint>
> >
> > <login-config>
> > <auth-method>FORM</auth-method>
> > <realm-name>My JDBCRealm</realm-name>
> > <form-login-config>
> > <form-login-page>/login.jsp</form-login-page>
>
> > <form-error-page>/error.jsp</form-error-page>
> > </form-login-config>
> > /login-config>
> >
> > <security-role>
> > <description>admin role.</description>
> > <role-name>eadmin</role-name>
> > </security-role>
> > <security-role>
> > <description>member role.</description>
> > <role-name>member</role-name>
> > </security-role>
> >
> > +++++ tomcat server.xml +++++
> >
> > <Realm
> > className="org.apache.catalina.realm.JDBCRealm"
> > debug="50"
> > driverName="org.postgresql.Driver"
> >
>
connectionURL="jdbc:postgresql://localhost:5432/mydb?user=postgres:password=postgres"
> > userTable="members" userNameCol="login"
> > userCredCol="password"
> > userRoleTable="member_roles_view"
> > roleNameCol="user_role" />
> >
> > +++++ my login.jsp +++++
> > <html>
> > <head>
> > <title>Login Page for Examples</title>
> > <body bgcolor="white">
> > <form method="POST" action='<%=
> > response.encodeURL("j_security_check") %>' >
> > <table border="0" cellspacing="5">
> > <tr>
> > <th align="right">Username:</th>
> > <td align="left"><input type="text"
> > name="j_username"></td>
> > </tr>
> > <tr>
> > <th align="right">Password:</th>
> > <td align="left"><input type="password"
> > name="j_password"></td>
> > </tr>
> > <tr>
> > <td align="right"><input type="submit"
> > value="Log In"></td>
> > <td align="left"><input type="reset"></td>
> > </tr>
> > </table>
> > </form>
> > </body>
> > </html>
> >
> > +++++ my error.jsp +++++
> > <html>
> > <head>
> > <title>Error Page For Examples</title>
> > </head>
> > <body bgcolor="white">
> > Invalid username and/or password, please try
> > <a href='<%= response.encodeURL("login.jsp")
> > %>'>again</a>.
> > </body>
> > </html>
> >
> >
> >
> >
> > __________________________________________________
> > Do you Yahoo!?
> > Yahoo! Mail Plus – Powerful. Affordable. Sign up
> now.
> > http://mailplus.yahoo.com
> >
> > --
> > To unsubscribe, e-mail:
> <mailto:[EMAIL PROTECTED]>
> > For additional commands, e-mail:
> <mailto:[EMAIL PROTECTED]>
> >
>
>
>
> Hello Quenten, if ur web.xml is:
> $TOMCAT_HOME
> |
> /webapps
> |
> /do
> |
> /WEB-INF
>
> then change ur web.xml tag:
> <security-constraint>
> <url-pattern>/do/*
>
> to only:
>
>
> <url-pattern>*</url-pattern>
>
> hope this helps, david.
>
> --
> To unsubscribe, e-mail:
> <mailto:[EMAIL PROTECTED]>
> For additional commands, e-mail:
> <mailto:[EMAIL PROTECTED]>
>
__________________________________________________
Do you Yahoo!?
Yahoo! Mail Plus – Powerful. Affordable. Sign up now.
http://mailplus.yahoo.com
--
To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
