-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Barry,
Propes, Barry L wrote: > They oddly enough can access certain pages within the directory of > this application, by logging in appropriately through the form. > However, another file in the same directory gives them this error - > "Invalid Direct reference to Form Login page." That usually means that Tomcat thinks the user has tried to send a j_username and j_password to /j_security_check without having previously been challenged by a login page. My understanding is that Tomcat implements container-managed authentication somewhat like this: 1. Request for protected resource comes in (assume no creds, yet) 2. Tomcat creates a session, associates it with a "wants login" request, stores the original request, and displays the login page 3. Request to /j_security_check comes in, auth is performed, original request is then sent to the application This works relatively well in most situations. However, if enough time goes by between #2 and #3, the session times out and TC loses the "wants login" notation (whatever that means), as well as the original request. If you then try to login, TC basically says "I never asked this guy to login, so this must be an invalid login", and you get this message. :( > on that note, it's also showing "The request sent by the client was > syntactically incorrect." I think that's a red herring, actually. TC is probably liberally using an HTTP status code that could mean lots of different things. > I'm having some users get this error reaching a portion of the > secured section of my app. Is it always the same users? Is it always the same place? > Does anyone know what could be at work here causing this? I think you might get this error if you don't run the your form action (j_security_check) through HttpServletResponse.encodeURL and the user is not using cookies. I think this will basically prevent logins for cookieless people (but I could be remembering wrong). If you run out of patience (as I did) with Tomcat's authentication, you can look at securityfilter (http://securityfilter.sourceforge.net) which emulates container-managed authentication and authorization and allows things like logging-in directly without first being challenged by the container. - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGV1PI9CaO5/Lv0PARAuEdAJ9bbkTyC90czPNA4TlmXIo+Y6jeeACfVBw8 j14uRe5M/bXGM4cYHb86Vko= =wCtR -----END PGP SIGNATURE----- --------------------------------------------------------------------- To start a new topic, e-mail: [email protected] To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
