Wait I am sure I am going wrong in a fundamental area. My security constraint is as follow-:
<security-constraint> <web-resource-collection> <web-resource-name>TECHERS</web-resource-name> <url-pattern>/teacher/success.jsp</url-pattern> <http-method>GET</http-method> <http-method>POST</http-method> </web-resource-collection> <auth-constraint> <role-name>TEACHER</role-name> </auth-constraint> </security-constraint> <login-config> <auth-method>FORM</auth-method> <form-login-config> <form-login-page>/index.jsp</form-login-page> <form-error-page>/index.jsp?error=true</form-error-page> </form-login-config> </login-config> <security-role> <role-name>TEACHER</role-name> </security-role> Now let me tell you what I understand from this-: - The <web-resource-collection> /teacher/success.jsp is protected via a FORM login page that is index.jsp - Therefore the page after login which the user will land to is /teacher/success.jsp. I don't need to specify that elsewhere. - <form-login-page> element designates the login page. - <form-error-page> element designates the page to go to if login has failed. This is my understanding of the whole process. Please don't tell me that I have to put <form-login-page> as /teacher/success.jsp. If so then where do I designate the login page ? Forgive my noobishness. Just starting out with servlet security. Regards Sreyan Chakravarty On Mon, Aug 31, 2015 at 3:59 PM, Mark Thomas <ma...@apache.org> wrote: > On 31/08/2015 07:00, Sreyan Chakravarty wrote: > > I don't understand where did I request the login page directly ? I just > put > > <form-login-config> as index.jsp and and the error page as > > index.jsp?error=true. > > > > So where is my error ? > > Did you request '/teacher/success.jsp' ? No, you did not. > > Did you request '/index.jsp' (or '/' that because of welcome page > processing would forward to '/index.jsp') ? Yes, you did. And that is > your error. > > Mark > > > > > > On Sun, Aug 30, 2015 at 9:54 PM, Mark Thomas <ma...@apache.org> wrote: > > > >> On 29/08/2015 22:16, Sreyan Chakravarty wrote: > >>> Okay this is my first try at container based authentication using > Realms > >> in > >>> Tomcat. And things have gone wrong. Here is my login page -: > >> > >> <snip/> > >> > >> > >>> My web.xml security configuration is -: > >>> > >>> <security-constraint> > >>> <web-resource-collection> > >>> <web-resource-name>TECHERS</web-resource-name> > >>> <url-pattern>/teacher/success.jsp</url-pattern> > >>> <http-method>GET</http-method> > >>> <http-method>POST</http-method> > >>> </web-resource-collection> > >> > >> Remove the methods. By enumerating methods ONLY those methods are > >> protected. PUT, HEAD, DELETE, etc. aould all be permitted. > >> > >> > >> <snip/> > >> > >>> Now when I click on submit I get the following error page in Tomcat -: > >>> > >>> > >>> *HTTP Status 400 - Invalid direct reference to form login page* > >>> > >>> *message* *Invalid direct reference to form login page* > >>> > >>> *description* *The request sent by the client was syntactically > >> incorrect.* > >>> > >>> > >>> Why is this happening ? Any help would be greatly appreciated. > >> > >> Because you requested the login page directly. You need to request the > >> protected page and Tomcat will handle the redirects. > >> > >> Mark > >> > >> > >> --------------------------------------------------------------------- > >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > >> For additional commands, e-mail: users-h...@tomcat.apache.org > >> > >> > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >