tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Craig R. McClanahan" <>
Subject Re: [BUG] j_security_check forward no longer working
Date Tue, 14 Nov 2000 21:51:46 GMT
Barry Dunne wrote:

> Hi,
> I need to trap the username and password entered by the user when accessing
> a secured web page, this is so that I can use this information when
> connecting to an external system in a servlet.
> The method I used was to have form based authentication but with the action
> posting to a jsp rather than j_security_check, the jsp then stores the
> username/password in the session and forwards the info on to
> j_security_check.
> This works perfectly with tomcat 3.2 beta 4, but tomcat 4 milestone 4 throws
> an exception and creates a blank file called j_security_check in the login
> directory.
> I am running on redhat linux 7 with sun jdk 1.3.
> The attached war file is the files I am using and the text file shows the
> different output when run in v3.2 and v4.
> Thanks,
> Barry.

Tomcat 4.0 should not throw an exception, but neither should it accept a form-based
login unless the action is "j_security_check".  See the Servlet 2.3 Spec (PFD),
Section, p. 78.

There's a similar section in the 2.2 spec that relates to Tomcat 3.2.  Therefore,
if Tomcat 3.2 is accepting your credentials when you post *to* a JSP page, as
opposed to j_security_check, it is broken.

The whole idea of form-based login is that, after you have successfully
authenticated, you are returned to the page you originally asked for.  The user
experience should feel very similar to what happens with BASIC authentication --
the server pauses and asks for your username and password, but then proceeds to
give you the page you asked for if you have successfully authenticated.  Therefore,
it doesn't really make any sense to talk about posting form based login criteria
*to* a JSP page.

On the other hand, it's perfectly reasonable to post *from* a JSP page -- that is
what the example application does.  It declares a JSP page as it's

Craig McClanahan

View raw message