The problem is in the error message: Invalid direct reference to form login page
In brief: With container-based auth, when a user attempts to access a protected resource, the container will 'remember' which resource they tried to access, and send them off to the form login page, specified in web.xml. If they successfully authenticate, then the container will then send them off to the original resource. If you go directly to login.jsp... where are you supposed to go after ? > -----Original Message----- > From: Muhammad Bilal [mailto:[EMAIL PROTECTED] > Sent: Thursday, July 10, 2003 4:00 AM > To: [EMAIL PROTECTED] > Subject: Tomcat: j_security_check: Form Authentication > > > Hi, > > I am using Form Authentication with Tomcat 4.1.18. Every thing seems > working, when I try to access a protected resource directly, > it takes me to > the login.jsp and if enter correct user/password it logs me > in and takes to > protected resource. But if I try to go to login.jsp first and > enters my > user/password it takes to some thing like > http://203.32.143.146:8080/test/j_security_check;jsessionid=30 > 3C0E68008E1E54F0E2CBAF43553B27 > and displays > HTTP Status 400 - Invalid direct reference to form login page > -------------------------------------------------------------- > ------------------ > type Status report > message Invalid direct reference to form login page > description The request sent by the client was syntactically > incorrect > (Invalid direct reference to form login page). > -------------------------------------------------------------- > ------------------ > Apache Tomcat/4.1.18 > > j_security_check is the servlet which uses JDBCRealm, I need > to know a bit > of its detail how it works, and how is it possible that we go > to login.jsp > first and then it takes to page we want after success, like the admin > section works of tomcat http://localhost:8080/admin. Btw, I > noticed also, > if we try to give blank user/password on admin page and click > to submit, it > takes to similar kind of error. > > I have following configurations: > In server.xml > <!-- Tomcat test Context --> > <Context path="/test" docBase="test" debug="0" > reloadable="true" > crossContext="true"> > <Logger > className="org.apache.catalina.logger.FileLogger" > prefix="localhost_test_log." suffix=".txt" timestamp="true"/> > <Environment name="maxExemptions" type="java.lang.Integer" > value="15"/> > <Parameter name="context.param.name" > value="context.param.value" > override="false"/> > > <Realm > className="org.apache.catalina.realm.JDBCRealm" debug="99" > driverName="weblogic.jdbc.mssqlserver4.Driver" > > connectionURL="jdbc:weblogic:mssqlserver4:[EMAIL PROTECTED]" > connectionName="dev" connectionPassword="web" > userTable="users" userNameCol="user_name" > userCredCol="user_pass" > userRoleTable="user_roles" > roleNameCol="role_name" /> > </Context> > In web.xml under /test/WEB-INF > > <web-app> > <display-name>Test by Bilal</display-name> > <description>It is a test context for > authentication.</description> > <security-constraint> > <web-resource-collection> > <web-resource-name>OnJava > Application</web-resource-name> > <url-pattern>/protected/*</url-pattern> > <http-method>DELETE</http-method> > <http-method>GET</http-method> > <http-method>POST</http-method> > <http-method>PUT</http-method> > </web-resource-collection> > <auth-constraint> > <role-name>onjavauser</role-name> > </auth-constraint> > <user-data-constraint> > <transport-guarantee>NONE</transport-guarantee> > </user-data-constraint> > </security-constraint> > <login-config> > <auth-method>FORM</auth-method> > <realm-name>Example Form-Based Authentication > Area</realm-name> > <form-login-config> > <form-login-page>/login.jsp</form-login-page> > <form-error-page>/error.jsp</form-error-page> > </form-login-config> > </login-config> > </web-app> > > In log: > > 2003-07-10 18:27:52 WebappLoader[/test]: Reloading checks are > enabled for > this Context > 2003-07-10 18:27:53 ContextConfig[/test]: WARNING: Security role name > onjavauser used in an <auth-constraint> without being defined in a > <security-role> > 2003-07-10 18:27:54 ContextConfig[/test]: Configured an > authenticator for > method FORM > 2003-07-10 18:27:54 StandardManager[/test]: Seeding random > number generator > class java.security.SecureRandom > 2003-07-10 18:27:54 StandardManager[/test]: Seeding of random number > generator has been completed > 2003-07-10 18:27:54 StandardWrapper[/test:default]: Loading container > servlet default > 2003-07-10 18:27:54 StandardWrapper[/test:invoker]: Loading container > servlet invoker > 2003-07-10 18:29:42 JDBCRealm[/test]: Username bob > successfully authenticated > > Any quick response would be really great. > > Thanks, > > Bilal > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
