Re: Request not forwarded to login page with security-constraint after session time-out

Thu, 26 Feb 2009 15:15:26 -0800 


On 26.02.2009, at 23:44, Mark Thomas wrote:


Caldarale, Charles R wrote:

From: Mark Thomas [mailto:ma...@apache.org]
Subject: Re: Request not forwarded to login page with
security-constraint after session time-out

The spec is clearer than that. The "*" role == all roles
defined in web.xml.
Yes, but what it's not clear about is what happens when there are *no* roles defined in web.xml, which is the situation the OP has.
I thought it was pretty clear. If "*" is all roles defined and you have no roles defined then you are basically preventing anyone from accessing 
that resource (subject to the weird and wonderful rules on combining
security constraints).
Not sure I can follow you guys on this...A few questions, my assumption is that the role-issue has nothing to do with the real problem:
1. Is the "*"-role issues even relevant in my context? After all, the security constraint works fine if I initially log in...
2. My requirement is indeed: "allow any authenticated user, ignore roles all together". So I set 
 <auth-constraint>
     <role-name>*</role-name>
   </auth-constraint>
 </security-constraint>
 ...
 <security-role>
   <role-name>*</role-name>
 </security-role>
in web.xml and allRolesMode="AUTH_ONLY_MODE" in the JDBC realm config. Correct? Uummhh, obviously not, because there's still this error in the log, but it has no impact: 

Feb 27, 2009 12:06:43 AM org.apache.catalina.realm.JDBCRealm getRoles
SEVERE: Exception performing authentication
java.sql.SQLException: ORA-00903: invalid table name
at oracle.jdbc.driver.DatabaseError.throwSqlException(DatabaseError.java: 112) 
        at oracle.jdbc.driver.T4CTTIoer.processError(T4CTTIoer.java:331)
        at oracle.jdbc.driver.T4CTTIoer.processError(T4CTTIoer.java:288)
3. Why does it seem to be relevant that the request where auto- forwarding-to-login-after-session-timeout fails is an AJAX request? 

Regards,
Marcel

--
Marcel Stör, http://www.frightanic.com
Blog: http://frightanic.wordpress.com
Couchsurfing: http://www.couchsurfing.com/people/marcelstoer
Skype: marcelstoer


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to