Here is some information I have put together on what I consider the best
practices for Tomcat Form Based Authentication. I look forward to your
comments and suggestions.
John
Best Practices for Tomcat v4.1 Form Based Authentication
John Swapceinski
Ordinate Corp.
[EMAIL PROTECTED]
(3/26/03)
1 - In the form-login-page and the form-error-page, select something
trivial from the database to ascertain that the database is available.
If the SELECT fails, report to the user that the site is unavailable in
order to prevent the user from wasting time trying to log in and only
getting the message "login failed".
2 - In order to detect a user who has bookmarked the form-login-page or
the form-error-page, use each of the following two methods:
A - In the web.xml file, define a customized error page for
400 error codes. The 400 error page is displayed when someone bookmarks
the login page and tries to log in, which generates the "invalid direct
reference to the login page" error.
This error page (e.g. 400.jsp) should do the following check:
<%
String mypage = (new
java.net.URL(request.getRequestURL().toString())).getFile();
final String errMsg;
if (request.getRemoteUser() != null &&
mypage.endsWith("j_security_check")) {
errMsg = "You were already logged in, but tried logging in a second
time.";
} else if (mypage.endsWith("j_security_check")) {
errMsg = "You bookmarked the login page.";
} else {
errMsg = "Bad request: " + request.getRequestURL().toString();
}
%>
B - Add this code to the very beginning of the
form-login-page and form-error-page pages:
<%
if (session.isNew()) {
throw new IllegalArgumentException("You bookmarked the login
page.");
}
if (request.getRemoteUser() != null) {
throw new IllegalArgumentException("You are already logged
in. Please make sure you have not bookmarked the login page.");
}
%>
3 - In the web.xml file, define a customized error page for 404 error
codes. The 404 error page is displayed when someone tries to log in when
they are already logged in. (Note - use a recent Tomcat release like
4.1.24, otherwise you'll get a blank screen when trying to set a custom
404 page)
This error page (e.g. 404.jsp) should do the following check:
<%
String mypage = (new
java.net.URL(request.getRequestURL().toString())).getFile();
final String errMsg;
if (request.getRemoteUser() != null &&
mypage.endsWith("j_security_check")) {
errMsg = "You were already logged in, but tried logging in a second
time.";
} else if (mypage.endsWith("j_security_check")) {
errMsg = "You bookmarked the login page.";
} else {
errMsg = "Your requested page, " + mypage + ", was not found on our
server.";
}
%>
4 - Add a meta tag refresh to the form-login-page and the
form-error-page to keep the session from timing out and giving the user
an error when they finally do get around to logging in:
<META HTTP-EQUIV="Refresh" CONTENT="600">
5 - If you need customized login pages for a webapp, create a new webapp
with the login pages you need, with a single protected html page that
redirects the user to the original (main) webapp. Make this new webapp
require the same role as your main webapp. You'll need to have "single
sign on" enabled in your server.xml file for this to work (details here:
http://www.ingrid.org/jajakarta/tomcat/tomcat-4.0b5/src/catalina/docs/si
nglesignon.html)
