tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Mike W-M" <m...@ward-murphy.co.uk>
Subject Re: Workaround for login page direct reference
Date Tue, 17 Dec 2002 14:57:17 GMT
Agreed.  Don't forget that the beauty of open-source is that we can look at
what Tomcat's doing...
It throws the "invalid reference" error from the FormAuthenticator class, if
no original request details have been saved as an "internal note" within the
session.  It doesn't immediately look like it's easy to get access to that
information.
As a last resort, it looks easy to alter that behaviour (assuming one can
manage to recompile Tomcat).
If no-one comes up with a better resolution to the problem (which, like you
say, must be one that's cropped up many times before) then it would seem
smart to try and get the developers to code in something a little more
configurable.  [I don't recall the spec says this behaviour is
required, but...]
i.e. it defaults to the current action unless you've specified a
defaultPostLoginPage property of something or other.

Still, the code had Craig's name on the top of it.  Hopefully he'll come to
our rescue....

Mike.


----- Original Message -----
From: "Ben Jessel" <ben.jessel@morpheme.co.uk>
To: "'Tomcat Users List'" <tomcat-user@jakarta.apache.org>
Sent: Tuesday, December 17, 2002 2:16 PM
Subject: Re: Workaround for login page direct reference


Thanks mech, that's very interesting, however, i simply just can't believe
that there are Tomcat instances out there in a live production environment
with configured realms that suffer from this problem. Surely there must be
something....
----- Original Message -----
From: "mech" <mech@rz.fh-augsburg.de>
To: "'Tomcat Users List'" <tomcat-user@jakarta.apache.org>; "'Ben Jessel'"
<ben.jessel@morpheme.co.uk>
Sent: Tuesday, December 17, 2002 12:57 PM
Subject: RE: Workaround for login page direct reference


> Some more ideas...
>
> In my application I never have a direct link to the login.jsp.
> Try to link either to any file that will be accessed after login (e.g.
> content.jsp) or link only to the secure directory that you mapped and
> let the welcome-file redirect link to index.jsp or whatever.
>
> Doesn't solve the back button issue (check tomcat bug list), doesn't
> prohibit users to bookmark the login.jsp, but improves usability at
> least a bit by avoiding some opportunities to get errors.
>
> For your intermediate page thing I would suggest looking into using
> filters. Unfortunately nothing can prohibit the anyone from using the
> browser back button and try to relog again because in that back button
> case the login.jsp isn't even loaded again; so you can't even check for
> that error by any means.
>
> Michael
>
> > -----Original Message-----
> > From: Ben Jessel [mailto:ben.jessel@morpheme.co.uk]
> > Sent: Dienstag, 17. Dezember 2002 13:43
> > To: Tomcat Users List
> > Subject: Re: Workaround for login page direct reference
> >
> >
> > Thanks Mike,
> >
> > I guess, another workaround is that you could just invalidate
> > their session if they go to the login page.... Now, I still
> > don't see how all this is going help that "direct reference
> > to login page"....as it seems that I get this error if I go
> > to login.jsp and then enter in my details.....
> >
> > - Say the user goes to xxxx/login.jsp directly....
> > - If we've protecteed that page Tomcat goes, no - "that's a
> > protected resource", and forwards to xxxx/login.jsp
> >   Otherwise, tomcat just goes to the login page.
> > - You enter the user details, and then tomcat tries to
> > forward to the page you came from ( i.e  login.jsp ), but
> > detects this is invalid ( presumably by comparing against
> > <login-page> in the web.xml,  and displays an error - "direct
> > reference to login page"....
> >
> > What I'd really, really, like, is some way of having an
> > intermediate page where I can check the requestURI to find
> > out what page tomcat is going to redirect me *after* login,
> > so tomcat would give me
> > login.jsp?page_to_forward_to=blah.jsp... but alas, I don't
> > think I can...
> >
> > ----- Original Message -----
> > From: "Mike W-M" <mike@ward-murphy.co.uk>
> > To: "Tomcat Users List" <tomcat-user@jakarta.apache.org>
> > Sent: Tuesday, December 17, 2002 11:28 AM
> > Subject: Re: Workaround for login page direct reference
> >
> >
> > > I'm going to have to sort this myself in the near future,
> > but I don't
> > quite
> > > see how the fact that you can forward to the protected resource is
> > > going
> > to
> > > help?  Isn't Tomcat going to automatically redirect (not
> > forward - the
> > > distinction is important since redirecting will result in the login
> > > page's URL showing up in the browser's address bar) to the
> > login page you've
> > > configured?   Actually... since redirecting causes the
> > browser to initiate
> > a
> > > new request (for your WEB-INF/login page in this case),
> > won't you get
> > > a 404-type error?
> > >
> > > Someone posted in a similar thread the other day that they
> > intended to
> > check
> > > a couple of things in the login page:
> > > 1. request.getRequestedSessionId() is *NULL* and
> > > 2. There is *NO* cookie named "JSESSIONID"
> > > I think the theory was that these would both be true on the first
> > > occasion the login page was accessed, but that if the user
> > was already
> > authenticated
> > > then the conditions wouldn't hold so the page should
> > redirect to the
> > > index page. It's not nice to be relying on a cookie name
> > (what if they
> > > change it
> > between
> > > versions, or if cookies are turned off (though I'm not sure the
> > > authentication works then anyway!)?) but I'm inclined to
> > move in that
> > > direction when it's my turn....
> > >
> > > Mike.
> > >
> > >
> > >
> > > ----- Original Message -----
> > > From: "Ben Jessel" <ben.jessel@morpheme.co.uk>
> > > To: "Tomcat Users List" <tomcat-user@jakarta.apache.org>; "Brett M.
> > > Bergquist" <brett@thebergquistfamily.com>
> > > Sent: Tuesday, December 17, 2002 10:55 AM
> > > Subject: Re: Workaround for login page direct reference
> > >
> > >
> > > I'll give that a go.
> > >
> > > Thanks
> > >
> > > Ben
> > > ----- Original Message -----
> > > From: "Brett M. Bergquist" <brettmb@optonline.net>
> > > To: "Tomcat Users List" <tomcat-user@jakarta.apache.org>;
> > "Ben Jessel"
> > > <ben.jessel@morpheme.co.uk>
> > > Sent: Monday, December 16, 2002 8:54 PM
> > > Subject: Re: Workaround for login page direct reference
> > >
> > >
> > > > Ben, I'm not sure but I believe that I've seen mention
> > that you can
> > > forward to a page that is not accessible to the outside.  That
> > > > is, put the Login.jsp page within WEB-INF of your web app and it
> > > > will
> > not
> > > be available to the outside world but you can forward to
> > > > it from inside the web app.
> > > >
> > > > I don't know if this will work because I have not tried it but it
> > > > might.
> > > >
> > > > Brett
> > > >
> > >
> > > ..
> > >
> > >
> > > --
> > > To unsubscribe, e-mail:
> > <mailto:tomcat-user-unsubscribe@jakarta.apache.org>
> > > For additional commands, e-mail:
> > <mailto:tomcat-user-help@jakarta.apache.org>
> > >
> > >
> >
> >
> > --
> > To unsubscribe, e-mail:
> > <mailto:tomcat-user-> unsubscribe@jakarta.apache.org>
> > For
> > additional commands,
> > e-mail: <mailto:tomcat-user-help@jakarta.apache.org>
> >
>
>


--
To unsubscribe, e-mail:
<mailto:tomcat-user-unsubscribe@jakarta.apache.org>
For additional commands, e-mail:
<mailto:tomcat-user-help@jakarta.apache.org>





--
To unsubscribe, e-mail:   <mailto:tomcat-user-unsubscribe@jakarta.apache.org>
For additional commands, e-mail: <mailto:tomcat-user-help@jakarta.apache.org>


Mime
View raw message