tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Craig R. McClanahan" <craig...@apache.org>
Subject Re: j_security_check
Date Thu, 08 Nov 2001 07:13:37 GMT
It is never, ever, ever, ever (!!! :-) valid to reference the login page
directly from your browser.

You should use the URL of some page within the protected area of your
application.  For the example shipped with Tomcat, try the following:

  http://localhost:8080/examples/jsp/security/protected

which will get redirected to the login page IF AND ONLY IF the user has
not logged in yet -- but it is up to the container (Tomcat) to do that.

If you're confused about how form based login works, please try an
experiment for me -- temporarily switch to BASIC authentication.  Note the
fact that (from the user perspective), this is what occurs:
* User requests a protected page
* Container detects that the user has not authenticated
  yet, so challenges them for credentials
* Browser displays the pop-up dialog box
* User fills in the username and password
* Container validates the username/password. and
  displays the protected page that was originally asked for.

Note that the user ***never*** asked for the URL of the login page
(because, when you use BASIC, there is no such thing).  That is
***exactly*** the interaction experience that form based login is designed
to emulate.

PLEASE, train your users to just ask for the page they want.  If it's
protected, Tomcat will remember the page they originally asked for while
displaying the login page, and automatically return to it if the
authentication is successful.  Any attempt to reference the login page
directly (by typing its URL into your browser, or by linking to it from
some other page) is doomed to cause frustration and non-portable behavior
(i.e. whatever you figure out that works for servlet container X won't
work for servlet container Y).

Craig


On Thu, 8 Nov 2001, McEs wrote:

> Date: Thu, 08 Nov 2001 12:27:35 +0900
> From: McEs <mces@km.ru>
> Reply-To: Tomcat Users List <tomcat-user@jakarta.apache.org>
> To: Tomcat Users List <tomcat-user@jakarta.apache.org>
> Subject: Re: j_security_check
>
> Really GREATE 10X for the help to all!!!
> Unfortunately it doesn't work...
> Ok, listen:
> In the examples
> (/usr/jakarta-tomcat-4.0/webapps/examples/jsp/security/protected/login.jsp)
> file login.jsp is INSIDE /protected directory!? Ok. It doesn't matter.
>
> 1. I move login.jsp from protected folder (test/protected) to
> /usr/jakarta-tomcat-4.0/webapps/ROOT/test/login.jsp
>
> 2. I edited the web.xml:
> ----------------------------
> <web-app>
>
>     <security-constraint>
>       <display-name>Example Security Constraint</display-name>
>       <web-resource-collection>
>          <web-resource-name>Protected Area</web-resource-name>
>      <!-- Define the context-relative URL(s) to be protected -->
>          <url-pattern>/test/protected/*</url-pattern>
>      <!-- If you list http methods, only those methods are protected -->
>      <http-method>DELETE</http-method>
>          <http-method>GET</http-method>
>          <http-method>POST</http-method>
>      <http-method>PUT</http-method>
>       </web-resource-collection>
>       <auth-constraint>
>          <!-- Anyone with one of the listed roles may access this area -->
>          <role-name>tester</role-name>
>      <role-name>admin</role-name>
>       </auth-constraint>
>     </security-constraint>
>
>     <!-- Default login configuration uses form-based authentication -->
>     <login-config>
>       <auth-method>FORM</auth-method>
>       <realm-name>Example Form-Based Authentication Area</realm-name>
>       <form-login-config>
>         <form-login-page>/test/login.jsp</form-login-page>
>         <form-error-page>/test/error.jsp</form-error-page>
>       </form-login-config>
>     </login-config>
>
> </web-app>
> -------------------------------
>
> 3. I checked $conf/server.xml:
> ------------------------
>
> <Realm  className="org.apache.catalina.realm.JDBCRealm" debug="99"
>              driverName="org.postgresql.Driver"
>
> connectionURL="jdbc:postgresql://localhost/gissp_test?user=maxim;password=Maxim"
>               userTable="users" userNameCol="user_name"
> userCredCol="user_pass"
>           userRoleTable="user_role" roleNameCol="user_role" />
> ------------------------
>
> 4. Then, when I tried to login
> http://localhost:8080/test/login.jsp
>
> I could see:
> HTTP Status 404 - /test/null
> The requested resource (/test/null) is not available.
>
> What's this?
>
> The log file:
> logs/localhost_access_log.2001-11-08.txt
>
> 127.0.0.1 - - [08/Nov/2001:12:23:50 9000] "POST /test/j_security_check
> HTTP/1.1" 302 -
> 127.0.0.1 - - [08/Nov/2001:12:23:50 9000] "GET /test/null HTTP/1.1" 404 197
>
>
> McEs
> p.s. Really thanks to ALL for help!
>
>
>
> raj wrote:
>
> >>
> >>
> >> it tells the servlet engine to call _its_ login servlet so that to
> >> identity
> >> the client with the information found in web.xml (security-* elements),
> >> tomcat-users.xml (depends on web.xml) and the information provided by
> >> the
> >> user
> >>
> > See a very good article on this subject at:
> >
> > http://www.onjava.com/pub/a/onjava/2001/08/06/webform.html
> >
> > Cheers
> > -raj
> >
> >
> > --
> > To unsubscribe:   <mailto:tomcat-user-unsubscribe@jakarta.apache.org>
> > For additional commands: <mailto:tomcat-user-help@jakarta.apache.org>
> > Troubles with the list: <mailto:tomcat-user-owner@jakarta.apache.org>
> >
> >
> > .
> >
>
>
>
> --
> To unsubscribe:   <mailto:tomcat-user-unsubscribe@jakarta.apache.org>
> For additional commands: <mailto:tomcat-user-help@jakarta.apache.org>
> Troubles with the list: <mailto:tomcat-user-owner@jakarta.apache.org>
>
>


--
To unsubscribe:   <mailto:tomcat-user-unsubscribe@jakarta.apache.org>
For additional commands: <mailto:tomcat-user-help@jakarta.apache.org>
Troubles with the list: <mailto:tomcat-user-owner@jakarta.apache.org>


Mime
View raw message