tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rick Roberts <techi...@ait-web.com>
Subject Re: Tomcat: j_security_check: Form Authentication
Date Thu, 10 Jul 2003 13:42:31 GMT
I just started trying to use Form AUTH and JDBCRealm a couple days ago, and I am seeing the
exact same behavior.

Muhammad Bilal wrote:
> Hi,
> 
> I am using Form Authentication with Tomcat 4.1.18. Every thing seems 
> working, when I try to access a protected resource directly, it takes me 
> to the login.jsp and if enter correct user/password it logs me in and 
> takes to protected resource. But if I try to go to login.jsp first and 
> enters my user/password it takes to some thing like 
> http://203.32.143.146:8080/test/j_security_check;jsessionid=303C0E68008E1E54F0E2CBAF43553B27

> 
> and displays
> HTTP Status 400 - Invalid direct reference to form login page
> -------------------------------------------------------------------------------- 
> 
> type Status report
> message Invalid direct reference to form login page
> description The request sent by the client was syntactically incorrect 
> (Invalid direct reference to form login page).
> -------------------------------------------------------------------------------- 
> 
> Apache Tomcat/4.1.18
> 
> j_security_check is the servlet which uses JDBCRealm, I need to know a 
> bit of its detail how it works, and how is it possible that we go to 
> login.jsp first and then it takes to page we want after success, like 
> the admin section works of tomcat http://localhost:8080/admin. Btw, I 
> noticed also, if we try to give blank user/password on admin page and 
> click to submit, it takes to similar kind of error.
> 
> I have following configurations:
> In server.xml
>         <!-- Tomcat test Context -->
>         <Context path="/test" docBase="test" debug="0" reloadable="true" 
> crossContext="true">
>           <Logger className="org.apache.catalina.logger.FileLogger" 
> prefix="localhost_test_log." suffix=".txt"  timestamp="true"/>
>           <Environment name="maxExemptions" type="java.lang.Integer" 
> value="15"/>
>           <Parameter name="context.param.name" 
> value="context.param.value" override="false"/>
> 
>           <Realm  className="org.apache.catalina.realm.JDBCRealm" 
> debug="99"
>                 driverName="weblogic.jdbc.mssqlserver4.Driver"
>                   
> connectionURL="jdbc:weblogic:mssqlserver4:tomcatusers@URL"
>                  connectionName="dev" connectionPassword="web"
>                  userTable="users" userNameCol="user_name" 
> userCredCol="user_pass"
>                    userRoleTable="user_roles" roleNameCol="role_name" />
>         </Context>
> In web.xml under /test/WEB-INF
> 
> <web-app>
>     <display-name>Test by Bilal</display-name>
>     <description>It is a test context for authentication.</description>
>     <security-constraint>
>         <web-resource-collection>
>             <web-resource-name>OnJava Application</web-resource-name>
>             <url-pattern>/protected/*</url-pattern>
>             <http-method>DELETE</http-method>
>             <http-method>GET</http-method>
>             <http-method>POST</http-method>
>             <http-method>PUT</http-method>
>         </web-resource-collection>
>         <auth-constraint>
>             <role-name>onjavauser</role-name>
>         </auth-constraint>
>         <user-data-constraint>
>             <transport-guarantee>NONE</transport-guarantee>
>         </user-data-constraint>
>     </security-constraint>
>     <login-config>
>         <auth-method>FORM</auth-method>
>         <realm-name>Example Form-Based Authentication Area</realm-name>
>         <form-login-config>
>             <form-login-page>/login.jsp</form-login-page>
>             <form-error-page>/error.jsp</form-error-page>
>         </form-login-config>
>     </login-config>
> </web-app>
> 
> In log:
> 
> 2003-07-10 18:27:52 WebappLoader[/test]: Reloading checks are enabled 
> for this Context
> 2003-07-10 18:27:53 ContextConfig[/test]: WARNING: Security role name 
> onjavauser used in an <auth-constraint> without being defined in a 
> <security-role>
> 2003-07-10 18:27:54 ContextConfig[/test]: Configured an authenticator 
> for method FORM
> 2003-07-10 18:27:54 StandardManager[/test]: Seeding random number 
> generator class java.security.SecureRandom
> 2003-07-10 18:27:54 StandardManager[/test]: Seeding of random number 
> generator has been completed
> 2003-07-10 18:27:54 StandardWrapper[/test:default]: Loading container 
> servlet default
> 2003-07-10 18:27:54 StandardWrapper[/test:invoker]: Loading container 
> servlet invoker
> 2003-07-10 18:29:42 JDBCRealm[/test]: Username bob successfully 
> authenticated
> 
> Any quick response would be really great.
> 
> Thanks,
> 
> Bilal
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
> 

-- 
*******************************************
* Rick Roberts                            *
* Advanced Information Technologies, Inc. *
*******************************************


---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org


Mime
View raw message