click-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Bob Schellink <>
Subject Re: By-passing Security on Home Page
Date Thu, 30 Oct 2008 18:15:12 GMT
Hi Paul,

Paul wrote:
> When I start Tomcat, I get the error below.  Entering address
> (http://server1:8080/myapp/home.htm) in my web browser works the way I want
> (i.e., security is by-passed and the home page is displayed).  However, when I
> enter http://server1:8080/myapp/login.htm" in the web browser and try to login,
> the web browser URL is changed to "http://server1:8080/myapp/j_security_check"
> and the error is "HTTP Status 400 - Invalid direct reference to form login
> page".  Did I make a mistake in the steps above or did I leave something out?

Nope your setup looks correct. Thing is users are not suppose to 
access the login.htm page directly. The way the Servlet Security is 
suppose to be used is you secure resources declaratively in your 
web.xml. When you want to access one of these secure pages say 
/secure/stats.htm, the servlet container notices you are not 
authenticated and it forwards you to the url defined in 
<login-config><form-login-page>, in this case login.htm. It is worth 
noting that the address bar in your browser never contains the url 

If the login is successful the servlet container will redirect you to 
your end real destination -> /secure/stats.htm.

However if you access the login.htm page directly by typing it into 
the address bar, the servlet container does not know what your 
destination is. So after you successfully login Tomcat display 
'/j_security_check' which is not a valid address.

In our apps clients normally end up at a landing page after they 
login. So we normally have a link somewhere which says "Login" but 
that link really points to the landing page which is secure. If 
clients click the link they are challenged with the login.htm page, 
after which they are directed to landing-page.htm.

It seems the new Servlet 3.0 spec will address this issue to some 
extent as new #login and #logout API are provided. Thus we won't need 
special j_security_check form.

> ********** Error when starting Tomcat ***********************
> [Click] [info ] initialized in debug mode
> Oct 30, 2008 10:15:05 AM org.apache.catalina.session.StandardManager doLoad
> SEVERE: IOException while loading persisted sessions:
> ion:; unable to create instance
>; unable to
> create instance
> at
> at
> at
> at org.apache.catalina.session.StandardSession.readObject
>   ( ...

The above exception is not related to login but rather to the session 
which was persisted after Tomcat shutdown. Upon restart Tomcat tries 
to recreate the previous sessions but cannot instantiate the HomePage 
class. I think this is because your HomePage does not implement 

Btw how did your HomePage end up in the session? Did you set HomePage 
to stateful or did you manually add it to the session?

kind regards


View raw message