tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Mike Curwen" <gb_...@gb-im.com>
Subject RE: Tomcat: j_security_check: Form Authentication
Date Thu, 10 Jul 2003 13:51:16 GMT
The problem is in the error message:
Invalid direct reference to form login page

In brief:  With container-based auth, when a user attempts to access a
protected resource, the container will 'remember' which resource they
tried to access, and send them off to the form login page, specified in
web.xml.  If they successfully authenticate, then the container will
then send them off to the original resource.
 
If you go directly to login.jsp... where are you supposed to go after ?

> -----Original Message-----
> From: Muhammad Bilal [mailto:muhammad.bilal@cim.com.au] 
> Sent: Thursday, July 10, 2003 4:00 AM
> To: tomcat-user@jakarta.apache.org
> Subject: Tomcat: j_security_check: Form Authentication
> 
> 
> Hi,
> 
> I am using Form Authentication with Tomcat 4.1.18. Every thing seems 
> working, when I try to access a protected resource directly, 
> it takes me to 
> the login.jsp and if enter correct user/password it logs me 
> in and takes to 
> protected resource. But if I try to go to login.jsp first and 
> enters my 
> user/password it takes to some thing like 
> http://203.32.143.146:8080/test/j_security_check;jsessionid=30
> 3C0E68008E1E54F0E2CBAF43553B27
> and displays
> HTTP Status 400 - Invalid direct reference to form login page
> --------------------------------------------------------------
> ------------------
> type Status report
> message Invalid direct reference to form login page
> description The request sent by the client was syntactically 
> incorrect 
> (Invalid direct reference to form login page).
> --------------------------------------------------------------
> ------------------
> Apache Tomcat/4.1.18
> 
> j_security_check is the servlet which uses JDBCRealm, I need 
> to know a bit 
> of its detail how it works, and how is it possible that we go 
> to login.jsp 
> first and then it takes to page we want after success, like the admin 
> section works of tomcat http://localhost:8080/admin. Btw, I 
> noticed also, 
> if we try to give blank user/password on admin page and click 
> to submit, it 
> takes to similar kind of error.
> 
> I have following configurations:
> In server.xml
>          <!-- Tomcat test Context -->
>          <Context path="/test" docBase="test" debug="0" 
> reloadable="true" 
> crossContext="true">
>            <Logger 
> className="org.apache.catalina.logger.FileLogger" 
> prefix="localhost_test_log." suffix=".txt"  timestamp="true"/>
>            <Environment name="maxExemptions" type="java.lang.Integer" 
> value="15"/>
>            <Parameter name="context.param.name" 
> value="context.param.value" 
> override="false"/>
> 
>            <Realm  
> className="org.apache.catalina.realm.JDBCRealm" debug="99"
>              	driverName="weblogic.jdbc.mssqlserver4.Driver"
>            		
> connectionURL="jdbc:weblogic:mssqlserver4:tomcatusers@URL"
>           		connectionName="dev" connectionPassword="web"
>               	userTable="users" userNameCol="user_name" 
> userCredCol="user_pass"
>     				userRoleTable="user_roles" 
> roleNameCol="role_name" />
>          </Context>
> In web.xml under /test/WEB-INF
> 
> <web-app>
>      <display-name>Test by Bilal</display-name>
>      <description>It is a test context for 
> authentication.</description>
> 	<security-constraint>
> 		<web-resource-collection>
> 			<web-resource-name>OnJava 
> Application</web-resource-name>
> 			<url-pattern>/protected/*</url-pattern>
> 			<http-method>DELETE</http-method>
> 			<http-method>GET</http-method>
> 			<http-method>POST</http-method>
> 			<http-method>PUT</http-method>
> 		</web-resource-collection>
> 		<auth-constraint>
> 			<role-name>onjavauser</role-name>
> 		</auth-constraint>
> 		<user-data-constraint>
> 			<transport-guarantee>NONE</transport-guarantee>
> 		</user-data-constraint>
> 	</security-constraint>
> 	<login-config>
> 		<auth-method>FORM</auth-method>
> 		<realm-name>Example Form-Based Authentication 
> Area</realm-name>
> 		<form-login-config>
> 			<form-login-page>/login.jsp</form-login-page>
> 			<form-error-page>/error.jsp</form-error-page>
> 		</form-login-config>
> 	</login-config>
> </web-app>
> 
> In log:
> 
> 2003-07-10 18:27:52 WebappLoader[/test]: Reloading checks are 
> enabled for 
> this Context
> 2003-07-10 18:27:53 ContextConfig[/test]: WARNING: Security role name 
> onjavauser used in an <auth-constraint> without being defined in a 
> <security-role>
> 2003-07-10 18:27:54 ContextConfig[/test]: Configured an 
> authenticator for 
> method FORM
> 2003-07-10 18:27:54 StandardManager[/test]: Seeding random 
> number generator 
> class java.security.SecureRandom
> 2003-07-10 18:27:54 StandardManager[/test]: Seeding of random number 
> generator has been completed
> 2003-07-10 18:27:54 StandardWrapper[/test:default]: Loading container 
> servlet default
> 2003-07-10 18:27:54 StandardWrapper[/test:invoker]: Loading container 
> servlet invoker
> 2003-07-10 18:29:42 JDBCRealm[/test]: Username bob 
> successfully authenticated
> 
> Any quick response would be really great.
> 
> Thanks,
> 
> Bilal
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
> 


---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org


Mime
View raw message