On 20/08/2009 13:00, Pid wrote:
On 20/08/2009 12:36, Dean Chester wrote:
Sorry about that.
Yes i have a index page in the restricted area that has links to other
restricted jsps. The Logs are not reporting anything.
How do you mean encode your urls?
If you're being asked to log in every click, your session is probably
not being preserved. The session ID is set in a cookie or by encoding
the URL to include the session id:
/path/to/page.jsp;jsessionid=00AF0000000000?query=param&go=here
Most browsers have a variety of dev tools you can use to examine
cookies, or response headers (e.g. Set-Cookie) to see if the cookie is
being set properly.
If it's not, you'll need to encode the URL so that it contains the
session id. The servlet spec, (which of course you have read), has a
handy method on the HttpServletResponse object which can do this.
Encode each URL to ensure that the session id is preserved.
<a href="<%= response.encodeURL(request.getContextPath() +
'/path/to/page.jsp') %>" alt="a link">Linked text</a>
p
If you have a common footer, included in your JSPs you can add the
session id to it, so you can see it on each page - it should not change
between clicks if you've encoded URls properly.
<%= request.getSession().getId() %>
Or if you're using JSP Expression Language
${pageContext.session.id}
p
P.S. There are tag libraries that exist to make this easier/less clumsy
looking.
I haven't set a time out in the web.xml file so its using the
default. The time between clicks is usually about 1-2 seconds. Here is
some
of my web.xml file:
<security-constraint>
<web-resource-collection>
<web-resource-name>users</web-resource-name>
<url-pattern>/add/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>user</role-name>
<role-name>admin</role-name>
</auth-constraint>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>admin</web-resource-name>
<url-pattern>/admin/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>admin</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/login.jsp</form-login-page>
<form-error-page>/login-error.jsp</form-error-page>
</form-login-config>
</login-config>
<security-role>
<role-name>admin</role-name>
</security-role>
<security-role>
<role-name>user</role-name>
</security-role>
I am using the default realm which i know works.
Dean
On Thu, Aug 20, 2009 at 12:19 PM, Pid<p...@pidster.com> wrote:
On 20/08/2009 11:55, Dean Chester wrote:
Sorry Tomcat 6.20, Red Hat Enterprise edition 4 i think. java 1.6.
And i
mean once logged in i have to login again after clicking on a link in
the restricted area.
Dean
You don't need to reply-to-all, just to the list. I'm obviously on the
mailing list, so I'll get the message anyway - I don't need it twice.
/myapp/index.jsp
/myapp/secure/index.jsp
/myapp/secure/page2.jsp
So you're logging into the secure area, and trying to view, e.g.
page2.jsp
from a link on the e.g. index.jsp page?
Do the logs have any errors in them?
If so, what are they?
Are you encoding all of the URLs properly?
How long between clicks?
What is the session timeout in your web.xml?
How have you defined the<security-constraint> in web.xml?
Which Realm are you using?
Perhaps you could post a little bit more information?
p
On Thu, Aug 20, 2009 at 11:23 AM, Pid<p...@pidster.com
<mailto:p...@pidster.com>> wrote:
On 20/08/2009 10:40, Dean Chester wrote:
Hi,
I've written my application using j_security_check yet i keep
having to log
in in the restricted area. Has anyone else experienced this?
Yep. I have to log in each time I want to use our app - it's a side
effect of implementing security.
Or is your question referring to a less vague and more specific issue?
Because it works with a small amount of JSPs and then when i
implement it all in to my
application it doesn't work.
I might need to warm up my Internet Telepathy(tm) without some more
information...
Where am i most likely going wrong?
Not telling us your Tomcat version, JVM version, OS version...
p
Thanks in advance
Dean
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
<mailto:users-unsubscr...@tomcat.apache.org>
For additional commands, e-mail: users-h...@tomcat.apache.org
<mailto:users-h...@tomcat.apache.org>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
