tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Craig R. McClanahan" <>
Subject Re: Craig - BASIC Authentication
Date Wed, 11 Oct 2000 21:09:48 GMT
Tom Lager wrote:

> Hi Craig,
> Let's say that my context is called "secure" and I want everything
> in this context protected.  So the URL
> http://localhost:8080/secure/index.html
> would cause the form base login to appear.

So you would propose to use a URL pattern like "/*" in your security constraint,

> Now the problem is that the <form-login-page> and <form-error-page>
> attributes
> cannot reside within the secure context or an infinite loop of
> authentication will
> occur because you need to be authenticated before you can see these pages...

This should work fine in 4.0 because I put a bunch of special cases to take care
of it.    I haven't tried it in 3.2.

What version are you testing with?

> So I tried to put these pages in the ROOT context by saying
>         <form-login-page>../login.jsp</form-login-page>
>         <form-error-page>../error.jsp</form-error-page>
> and then I succesfully got the login form page to display... however when I
> submitted the form Tomcat Complained (Standard Output) saying
> No handler for request R( + j_security_check + null) 401
> so it seems that the pages used to display the login form cannot reside
> outside
> the context they are to protect... I'm using Tomcat 3.2b4.. do you have any
> solution
> for this other than putting it in the web.xml for ROOT and making /secure
> NOT a context??

Any attempt to go "above" the directory space of your web application using ".."
should fail, because such actions are disallowed.

> Thanks,
> Tom Lager


See you at ApacheCon Europe <>!
Session VS01 (23-Oct 13h00-17h00):  Sun Technical Briefing
Session T06  (24-Oct 14h00-15h00):  Migrating Apache JServ
                                    Applications to Tomcat

View raw message