tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jose Andrés Pérez <joseandres.pe...@m-centric.com>
Subject Tomcat 3.3.1 authentication problem working without cookies
Date Thu, 17 Oct 2002 17:45:47 GMT
Hello everybody,

I have an authentication problem using Jakarta Tomcat 3.3.1 and I don´t know
how to solve it. My context is the following:
  - There are two roles on my Web application (admin and contentprovider):
	<security-role>
		<role-name>services.admin</role-name>
	</security-role>
	<security-role>
		<role-name>services.contentprovider</role-name>
	</security-role>

  - There are two ways (urls) to access to the webapp. One of them can only
access the
users that belong to the admin role and the other one those who belong to
the contentprovider role:
	<security-constraint>
	  	<web-resource-collection>
    		<web-resource-name>SuperAdministrator tool</web-resource-name>
    		<url-pattern>/tools/admin/*</url-pattern>
  		</web-resource-collection>
  		<auth-constraint>
    		<role-name>servicesadmin</role-name>
  		</auth-constraint>
	</security-constraint>
	<security-constraint>
	  	<web-resource-collection>
    		<web-resource-name>Content Provider tool</web-resource-name>
    		<url-pattern>/tools/contentprovider/*</url-pattern>
  		</web-resource-collection>
  		<auth-constraint>
    		<role-name>services.contentprovider</role-name>
  		</auth-constraint>
	</security-constraint>

  - There are two servlets listening, one for admin requests and another for
contentprovider requests:
    <servlet-mapping>
        <servlet-name>AdminTools</servlet-name>
        <url-pattern>/tools/admin/*</url-pattern>
    </servlet-mapping>
    <servlet-mapping>
        <servlet-name>CPTools</servlet-name>
        <url-pattern>/tools/contentprovider/*</url-pattern>
    </servlet-mapping>

  - I have configured on web.xml the form login jsp for both login and
error. On both cases (login and error) the jsp is the same:
	<login-config>
		<auth-method>FORM</auth-method>
		<form-login-config>
			<form-login-page>/login.jsp</form-login-page>
			<form-error-page>/login.jsp?error</form-error-page>
		</form-login-config>
	</login-config>

  - I have configured the web.xml with this characteristics and the web
application works fine with cookies.

The problem is when I want to work without cookies. I try to access to the
web application (for example
http://localhost:8080/mywebapp/tools/admin/init.bwp) and the login.jsp is
executed and returned with its jsessionid on the returned url. Thats fine.
But if I fail the login Tomcat launches the resource defined on tag
<form-error-pag>, that is /login.jsp?error. Tomcat launches it but
(OOOOOOHHH!!) does not include the jsessionid.
How can I configure Tomcat to include the jsessionid on the loggin error
page? Is it possible this kind of configuration on Tomcat 3.3.1?



Thanks in advance,
Jose



--
To unsubscribe, e-mail:   <mailto:tomcat-user-unsubscribe@jakarta.apache.org>
For additional commands, e-mail: <mailto:tomcat-user-help@jakarta.apache.org>


Mime
View raw message