tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Craig Berry" <>
Subject RE: Tomcat Admin 'Invalid Direct Reference' error
Date Sun, 27 Apr 2003 17:41:32 GMT
j_security_check is part of the servlet infrastructure implemented by Tomcat, as defined in
the servlet 2.3 spec.
Unfortunately, the implementation of this is 'magic' in the sense that there really aren't
any simple hooks provided to insert your own code into the process.  The only two options
I've found are to delve deep into the Tomcat security code and try to figure out what it's
doing, and replicate the parts you need, or to give up on JAAS web security and do your own
authentication and cookie management.  Neither is very attractive, alas.

	-----Original Message----- 
	From: cameron [] 
	Sent: Sun 4/27/2003 10:22 AM 
	To: Tomcat Users List 
	Subject: Re: Tomcat Admin 'Invalid Direct Reference' error

	Where is "j_security_check"? Is it part of Tomcat or it an external
	piece? I was just wondering if I wanted j_security_check to do something
	funky, is it a class I can inherit from so that I can use my class
	instead, is it a servlet that I can replace with my own servlet? I have
	done a search, (find / -name "*j_security_check*"), without any results
	making me think that it is part of Tomcat. I am guessing it sets some
	sort of session variable to state that  the current session is
	validated... where are the specs on this so that I can use my own
	servlet for validation?
	Craig Berry wrote:
	>Somewhere you are linking to (or loading) your login form page directly, rather than
linking to (or loading) a protected page from the application and allowing the security system
to redirect you to the login page when needed.
	>       -----Original Message-----
	>       From: Matthew Smith []
	>       Sent: Sun 4/27/2003 7:16 AM
	>       To:
	>       Cc:
	>       Subject: Tomcat Admin 'Invalid Direct Reference' error
	>       Hi folks.  I just installed Tomcat (4.1.24-LE-jdk14) on mac os x
	>       (10.2.5)
	>       I modified my tomacat-users.xml (See end of email) file to enable the
	>       Tomcat Administration webapp by adding a user with role admin and I get
	>       the following error:
	>       <snip>
	>       HTTP Status 400 - Invalid direct reference to form login page
	>       type Status report
	>       message Invalid direct reference to form login page
	>       description The request sent by the client was syntactically incorrect
	>       (Invalid direct reference to form login page).
	>       Apache Tomcat/4.1.24-LE-jdk14
	>       </snip>
	>       This only happens with a valid user and password.  If the username
	>       and/or password is incorrect I get the standard invalid username
	>       password page.
	>       Anybody have any idea why this is happening and how to fix it?
	>       Thanks.
	>       #tomcat-users.xml
	>       <?xml version='1.0' encoding='utf-8'?>
	>       <tomcat-users>
	>          <role rolename="tomcat"/>
	>          <role rolename="role1"/>
	>          <role rolename="admin"/>
	>          <user username="matthew" password="[realpsswdrmvd]" roles="admin"/>
	>          <user username="tomcat" password="tomcat" roles="tomcat"/>
	>          <user username="role1" password="tomcat" roles="role1"/>
	>          <user username="both" password="tomcat" roles="tomcat,role1"/>
	>       </tomcat-users>
	>       ---------------------------------------------------------------------
	>       To unsubscribe, e-mail:
	>       For additional commands, e-mail:
	>To unsubscribe, e-mail:
	>For additional commands, e-mail:
	To unsubscribe, e-mail:
	For additional commands, e-mail:

  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message