On Friday, November 09, 2012 01:02:55 AM Konstantin Kolinko wrote: > 1. When and how do you obtain the value for your jsessionid? Beware > that the session id is changing when you do authentication. That is > done to prevent session fixation attacks.
The .jnlp would be generated on the fly after a login, so it would have the jsessionid just generated by the user authentication - if I can get through the login. But I'm not getting there as a successful login isn't redirected to the original target (or, perhaps, the jsessionid generated by the login isn't properly appended to the original url). > 2. It isn't timeout. > It means that you've got a new session, and so Tomcat does not know > where to redirect you after the login. > > See > response.sendError(HttpServletResponse.SC_REQUEST_TIMEOUT > call in o.a.c.authenticator.FormAuthenticator I landed in the login as a function of the authentication, so it seems that I should end up where I was originally trying to go after the authentication succeeds. Since the session has to be in the URL there should have been a URL rewrite for the new session performed after the login and session was created. This old thread seem applicable: http://tomcat.10.n6.nabble.com/AuthenticatorBase- setChangeSessionIdOnAuthentication-without-cookies-td4987045.html It's entirely possible (likely) that I'm missing something, but it sure looks like you can't get through a login.jsp with URL based session data. I'd be delighted to wrap this test case up in a .war, I was posting here to make sure that I wasn't completely missing some point. --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
