Wait I am sure I am going wrong in a fundamental area.
My security constraint is as follow-:
<security-constraint>
<web-resource-collection>
<web-resource-name>TECHERS</web-resource-name>
<url-pattern>/teacher/success.jsp</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>TEACHER</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/index.jsp</form-login-page>
<form-error-page>/index.jsp?error=true</form-error-page>
</form-login-config>
</login-config>
<security-role>
<role-name>TEACHER</role-name>
</security-role>
Now let me tell you what I understand from this-:
- The <web-resource-collection> /teacher/success.jsp is protected via a
FORM login page that is index.jsp
- Therefore the page after login which the user will land to is
/teacher/success.jsp. I don't need to specify that elsewhere.
- <form-login-page> element designates the login page.
- <form-error-page> element designates the page to go to if login has
failed.
This is my understanding of the whole process. Please don't tell me that I
have to put <form-login-page> as /teacher/success.jsp. If so then where do
I designate the login page ?
Forgive my noobishness. Just starting out with servlet security.
Regards
Sreyan Chakravarty
On Mon, Aug 31, 2015 at 3:59 PM, Mark Thomas <ma...@apache.org> wrote:
> On 31/08/2015 07:00, Sreyan Chakravarty wrote:
> > I don't understand where did I request the login page directly ? I just
> put
> > <form-login-config> as index.jsp and and the error page as
> > index.jsp?error=true.
> >
> > So where is my error ?
>
> Did you request '/teacher/success.jsp' ? No, you did not.
>
> Did you request '/index.jsp' (or '/' that because of welcome page
> processing would forward to '/index.jsp') ? Yes, you did. And that is
> your error.
>
> Mark
>
>
> >
> > On Sun, Aug 30, 2015 at 9:54 PM, Mark Thomas <ma...@apache.org> wrote:
> >
> >> On 29/08/2015 22:16, Sreyan Chakravarty wrote:
> >>> Okay this is my first try at container based authentication using
> Realms
> >> in
> >>> Tomcat. And things have gone wrong. Here is my login page -:
> >>
> >> <snip/>
> >>
> >>
> >>> My web.xml security configuration is -:
> >>>
> >>> <security-constraint>
> >>> <web-resource-collection>
> >>> <web-resource-name>TECHERS</web-resource-name>
> >>> <url-pattern>/teacher/success.jsp</url-pattern>
> >>> <http-method>GET</http-method>
> >>> <http-method>POST</http-method>
> >>> </web-resource-collection>
> >>
> >> Remove the methods. By enumerating methods ONLY those methods are
> >> protected. PUT, HEAD, DELETE, etc. aould all be permitted.
> >>
> >>
> >> <snip/>
> >>
> >>> Now when I click on submit I get the following error page in Tomcat -:
> >>>
> >>>
> >>> *HTTP Status 400 - Invalid direct reference to form login page*
> >>>
> >>> *message* *Invalid direct reference to form login page*
> >>>
> >>> *description* *The request sent by the client was syntactically
> >> incorrect.*
> >>>
> >>>
> >>> Why is this happening ? Any help would be greatly appreciated.
> >>
> >> Because you requested the login page directly. You need to request the
> >> protected page and Tomcat will handle the redirects.
> >>
> >> Mark
> >>
> >>
> >> ---------------------------------------------------------------------
> >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> >> For additional commands, e-mail: users-h...@tomcat.apache.org
> >>
> >>
> >
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>
