samsina wrote: > See inline... > > > Pid-2 wrote: >> Martin Gainty wrote: >>> please display non-proprietary attributes of HTTPS (Port 8443 or 443) >>> Connector element values from %TOMCAT_HOME%/conf/server.xml >> OP: Don't attempt to decipher or respond to the above, it's a red >> herring. You could instead tell us exactly which 6.x you are using and >> on which OS. >> I am running in Red Hat 3.4.6-2 >> >> There's a couple of things that may be confusing the config below, which >> have some simple corrections. >> >> I usually place "login.jsp" and "error.jsp" in "WEB-INF/login/", where >> they are protected from unwanted attention by default - this avoids the >> need to protect them with a security-contstraint. >> >> You are also protecting "index.jsp" - which will force a login when the >> apps homepage is accessed, is this what you intended? >> >> Yes >> >> Are you logging out programmatically, using the servlet method >> request.getSession().invalidate(), or are you just clearing cookies? >> >> I invalid the session programmatically... correct. >> >> Your primary problem sounds like you have placed some CSS or script >> files somewhere in a protected directory and the browser is requesting >> them without providing the correct authentication credentials. >> >> Tomcat returns the *first* file you requested inside the secured area >> after authentication is completed. So for some reason your browser is >> requesting a script or CSS file before the JSP page. >> >> Are the script and CSS files in an unprotected directory? >> >> youa re absolutly correct, basically the senario is like this: >> basically the page is including <link rel="stylesheet" type="text/css" >> href="/app1/resources-folder/style.css" /> >> So the browser should apply the style to the page, but instead it outputs >> the actual file to the broweser. So it should the style.css from the jsp >> file. >> >> This scenario happens when i try to add url-pattern in security constraint >> in web.xml (basically adding that module patterns as i described in first >> post. >> Otherwise, it works fine.
The most simple solution here is to move the CSS files to an unprotected directory. p >> p >> >> >> >> >>> Disclaimer and confidentiality note >>> Everything in this e-mail and any attachments relates to the official >>> business of Sender. This transmission is of a confidential nature and >>> Sender does not endorse distribution to any party other than intended >>> recipient. Sender does not necessarily endorse content contained within >>> this transmission. >>> >>> >>> >>> >>>> Date: Tue, 13 Jan 2009 17:03:08 -0800 >>>> From: sams...@gmail.com >>>> To: users@tomcat.apache.org >>>> Subject: Tomcat 6.x security-constraint redirection problem... please >>>> help! >>>> >>>> >>>> I have defined two roles (admin, user) >>>> >>>> <security-role> >>>> <role-name>user</role-name> >>>> </security-role> >>>> <security-role> >>>> <role-name>administrator</role-name> >>>> </security-role> >>>> >>>> each of these roles needs to access into separate modules in my webapp. >>>> For >>>> achieving this, I have the following security-constraint in tomcat >>>> web.xml: >>>> >>>> <security-constraint> >>>> <web-resource-collection> >>>> <web-resource-name>Authorized Access >>>> Area</web-resource-name> >>>> <url-pattern>/index.jsp</url-pattern> >>>> <url-pattern>/login.jsp</url-pattern> >>>> <url-pattern>/error.jsp</url-pattern> >>>> <url-pattern>/app1/*</url-pattern> >>>> <url-pattern>*.jsp</url-pattern> >>>> </web-resource-collection> >>>> <auth-constraint> >>>> <role-name>user</role-name> >>>> </auth-constraint> >>>> </security-constraint> >>>> >>>> <security-constraint> >>>> <web-resource-collection> >>>> <web-resource-name>Authorized Access >>>> Area</web-resource-name> >>>> <url-pattern>/index.jsp</url-pattern> >>>> <url-pattern>/login.jsp</url-pattern> >>>> <url-pattern>/error.jsp</url-pattern> >>>> <url-pattern>/app2/*</url-pattern> >>>> </web-resource-collection> >>>> <auth-constraint> >>>> <role-name>administrator</role-name> >>>> </auth-constraint> >>>> </security-constraint> >>>> >>>> consider the following steps: >>>> >>>> 1. Access context/app1/app1action.jsp URL >>>> 2. I get prompted for credentials >>>> 3. I login as normal user, and on successful login I get redirected to >>>> app1action.jsp page (desired behavior) >>>> 4. Now, I clear my cache & sessions authentication from browser >>>> (firefox) >>>> 4. Browse into some link in app1action.jsp page pointing to some other >>>> page >>>> eg. context/app1/anotherpage.jsp >>>> 5. Now I get prompted to relogin >>>> 6. On successful login, I expect myself to get redirected to >>>> 'anotherpage.jsp'. But instead it redirects me to the resources ( JS / >>>> img / >>>> css ) that are included with in 'anotherpage.jsp' . eg. >>>> context/resources/sample.js or sample.css or sample.gif .... >>>> >>>> I spent googling on this issue for couple of days with no luck. >>>> >>>> Can you please advise how to get properly redirected ? >>>> >>>> ~ Many Thanks >>>> >>>> >>>> -- >>>> View this message in context: >>>> http://www.nabble.com/Tomcat-6.x-security-constraint-redirection-problem...-please-help%21-tp21448079p21448079.html >>>> Sent from the Tomcat - User mailing list archive at Nabble.com. >>>> >>>> >>>> --------------------------------------------------------------------- >>>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >>>> For additional commands, e-mail: users-h...@tomcat.apache.org >>>> >>> _________________________________________________________________ >>> Windows Liveā¢: Keep your life in sync. >>> http://windowslive.com/explore?ocid=TXT_TAGLM_WL_t1_allup_explore_012009 >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org >> >> >> > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org