click-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Gilberto C. Andrade" <>
Subject Re: By-passing Security on Home Page
Date Thu, 30 Oct 2008 18:39:19 GMT
I found these problems at the beginning as well.
I think it could be addressed after 1.5 release.
This maven archetype ( can
be used as sample.


On Thu, Oct 30, 2008 at 3:15 PM, Bob Schellink <> wrote:
> Hi Paul,
> Paul wrote:
>> When I start Tomcat, I get the error below.  Entering address
>> (http://server1:8080/myapp/home.htm) in my web browser works the way I
>> want
>> (i.e., security is by-passed and the home page is displayed).  However,
>> when I
>> enter http://server1:8080/myapp/login.htm" in the web browser and try to
>> login,
>> the web browser URL is changed to
>> "http://server1:8080/myapp/j_security_check"
>> and the error is "HTTP Status 400 - Invalid direct reference to form login
>> page".  Did I make a mistake in the steps above or did I leave something
>> out?
> Nope your setup looks correct. Thing is users are not suppose to access the
> login.htm page directly. The way the Servlet Security is suppose to be used
> is you secure resources declaratively in your web.xml. When you want to
> access one of these secure pages say /secure/stats.htm, the servlet
> container notices you are not authenticated and it forwards you to the url
> defined in <login-config><form-login-page>, in this case login.htm. It is
> worth noting that the address bar in your browser never contains the url
> '/login.htm'.
> If the login is successful the servlet container will redirect you to your
> end real destination -> /secure/stats.htm.
> However if you access the login.htm page directly by typing it into the
> address bar, the servlet container does not know what your destination is.
> So after you successfully login Tomcat display '/j_security_check' which is
> not a valid address.
> In our apps clients normally end up at a landing page after they login. So
> we normally have a link somewhere which says "Login" but that link really
> points to the landing page which is secure. If clients click the link they
> are challenged with the login.htm page, after which they are directed to
> landing-page.htm.
> It seems the new Servlet 3.0 spec will address this issue to some extent as
> new #login and #logout API are provided. Thus we won't need special
> j_security_check form.
>> ********** Error when starting Tomcat ***********************
>> [Click] [info ] initialized in debug mode
>> Oct 30, 2008 10:15:05 AM org.apache.catalina.session.StandardManager
>> doLoad
>> SEVERE: IOException while loading persisted sessions:
>> ion:; unable to create instance
>>; unable
>> to
>> create instance
>> at
>> at
>> at
>> at org.apache.catalina.session.StandardSession.readObject
>>  ( ...
> The above exception is not related to login but rather to the session which
> was persisted after Tomcat shutdown. Upon restart Tomcat tries to recreate
> the previous sessions but cannot instantiate the HomePage class. I think
> this is because your HomePage does not implement Serializable?
> Btw how did your HomePage end up in the session? Did you set HomePage to
> stateful or did you manually add it to the session?
> kind regards
> bob

View raw message