RE: Form Based Authenticattion - j_security_check does not redirect from http to https

[Justin Randall]

Hello,

Are you using other filters?

If you are you will need the method to look like the below:

    public void doFilter(ServletRequest request, ServletResponse response, 
FilterChain filterChain) throws IOException, ServletException {
        HttpServletRequest req = (HttpServletRequest) request;
        HttpServletResponse rsp = (HttpServletResponse) response;
        rsp.sendRedirect(req.getRequestURI());
        filterChain.doFilter(request, response);
    }

However, from the looks of your stack trace the problem is with your 
"login.jsp?action=error" page.  You need to review your code to figure out 
where and how it is trying to create an HttpSession (presumably in the login 
error page) after a failed login attempt.

Regards,

Justin

> Date: Tue, 9 Dec 2008 02:29:53 -0800
> From: [EMAIL PROTECTED]
> To: users@tomcat.apache.org
> Subject: RE: Form Based Authenticattion - j_security_check does not redirect 
> from http to https
> 
> 
> 
> Justin Randall-5 wrote:
> > 
> > 
> > Hi again,
> > 
> > I thought about this a little more and I think what you're experiencing
> > might be as a result of the RequestDispatcher.
> > 
> > When the RequestDispatcher "fowards" to a URL resource, it overrides the
> > SSL/Authentication constraints you have setup.  There is a way of getting
> > around this (which also adds an additional layer of maintenance
> > programming security in your code) by using Filters.
> > 
> > Basically, in your web.xml you define a filter for your SSL protected
> > pages:
> > 
> >   <filter>
> >       <filter-name>MyFilterClass</filter-name>
> >       <filter-class>my.package.MyFilterClass</filter-class>
> >   </filter>
> >   <filter-mapping>
> >       <filter-name>MyFilterClass</filter-name>
> >       <url-pattern>/ssl/*</url-pattern>
> >       <dispatcher>FORWARD</dispatcher>
> >       <dispatcher>INCLUDE</dispatcher>
> >       <dispatcher>ERROR</dispatcher>
> >   </filter-mapping>
> > 
> > Below is a sample implementation of the "doFilter" that takes care of the
> > redirecting:
> > 
> > public void doFilter(ServletRequest request, ServletResponse response,
> >             FilterChain arg2) throws IOException, ServletException {
> >             HttpServletRequest req = (HttpServletRequest) request;
> >             HttpServletResponse rsp = (HttpServletResponse) response;
> >             rsp.sendRedirect(req.getRequestURI());
> > }
> > 
> > 
> 
> 
> I tried this but I got the following exception and the j_security_check page
> on http doesn't get redirected:
> 
> java.lang.IllegalStateException: Cannot create a session after the response
> has been committed
>       at org.apache.catalina.connector.Request.doGetSession(Request.java:2221)
>       at org.apache.catalina.connector.Request.getSession(Request.java:2031)
>       at
> org.apache.catalina.connector.RequestFacade.getSession(RequestFacade.java:832)
>       at
> javax.servlet.http.HttpServletRequestWrapper.getSession(HttpServletRequestWrapper.java:216)
>       at
> org.apache.catalina.core.ApplicationHttpRequest.getSession(ApplicationHttpRequest.java:545)
>       at
> org.apache.catalina.core.ApplicationHttpRequest.getSession(ApplicationHttpRequest.java:494)
>       at
> org.apache.jasper.runtime.PageContextImpl._initialize(PageContextImpl.java:136)
>       at
> org.apache.jasper.runtime.PageContextImpl.initialize(PageContextImpl.java:113)
>       at
> org.apache.jasper.runtime.JspFactoryImpl.internalGetPageContext(JspFactoryImpl.java:105)
>       at
> org.apache.jasper.runtime.JspFactoryImpl.getPageContext(JspFactoryImpl.java:62)
>       at org.apache.jsp.login_jsp._jspService(login_jsp.java:33)
>       at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:98)
>       at javax.servlet.http.HttpServlet.service(HttpServlet.java:803)
>       at
> org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:331)
>       at 
> org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:329)
>       at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:265)
>       at javax.servlet.http.HttpServlet.service(HttpServlet.java:803)
>       at
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:269)
>       at
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188)
>       at com.solidcore.bl.servlet.TagFilter.doFilter(TagFilter.java:110)
>       at
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:215)
>       at
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188)
>       at
> org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:691)
>       at
> org.apache.catalina.core.ApplicationDispatcher.processRequest(ApplicationDispatcher.java:469)
>       at
> org.apache.catalina.core.ApplicationDispatcher.doForward(ApplicationDispatcher.java:403)
>       at
> org.apache.catalina.core.ApplicationDispatcher.forward(ApplicationDispatcher.java:301)
>       at
> org.apache.catalina.authenticator.FormAuthenticator.forwardToErrorPage(FormAuthenticator.java:337)
>       at
> org.apache.catalina.authenticator.FormAuthenticator.authenticate(FormAuthenticator.java:260)
>       at
> org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:417)
>       at
> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
>       at
> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:117)
>       at
> org.apache.catalina.authenticator.SingleSignOn.invoke(SingleSignOn.java:393)
>       at
> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:108)
>       at
> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:151)
>       at
> org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:874)
>       at
> org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.processConnection(Http11BaseProtocol.java:665)
>       at
> org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:528)
>       at
> org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollowerWorkerThread.java:81)
>       at
> org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:689)
>       at java.lang.Thread.run(Thread.java:595)
> 
> -- 
> View this message in context: 
> http://www.nabble.com/Form-Based-Authenticattion---j_security_check-does-not-redirect-from-http-to-https-tp20910454p20912149.html
> Sent from the Tomcat - User mailing list archive at Nabble.com.
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
> 

_________________________________________________________________