tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Mike Curwen" <gb_...@gb-im.com>
Subject RE: FORM Login Bypassed
Date Fri, 01 Aug 2003 16:45:05 GMT
When your dispatcher does the translation, does it forward or include
the 'actual' resource ?  Meaning it takes place entirely server-side ?
If you did a sendRedirect, that would then make the browser request the
protected resource directly, which would invoke the AUTH, if the AUTH is
configured correctly. And it looks right to me.
 
What it sounds like is that once you are on the server-side (by
requesting the un-protected /dispatcher resource) that any server-side
forwards or includes are not being authenticated.  I wasn't aware that
was the case.
 
It works this way for filters though, but in the next servlet spec (2.4)
we'll have filter mappings being honoured for forwards and includes as
well (configurable).  


> -----Original Message-----
> From: Ronnie [mailto:lormee2001@yahoo.com.sg] 
> Sent: Friday, August 01, 2003 11:35 AM
> To: tomcat-user@jakarta.apache.org
> Subject: FORM Login Bypassed
> 
> 
> Hi!
> 
> I have this web application using FORM login access but I am 
> having problem directing the navigation to the defined login 
> page when user clicks on a secure link.
> 
> You see, I am using a DispatcherServlet as a navigation 
> controller to direct users to the correct page and the URL is 
> coded as:
> 
>     <a href="dispatcher?action=admin">admin</a>
> 
> Where "dispatcher" is the URL name of the DispatcherServlet. 
> In the servlet, "admin" is translated to 
> "/computers/admin/index.jsp" from values coded in web.xml.
> 
> Now when I declare the  protected url-pattern as 
> "/computers/admin/*" as below, when I click on the above link 
> the login page is bypassed and I can access the admin index 
> page without logging in.
> 
> <security-constraint>
>      <web-resource-collection>
>         <web-resource-name>Administration 
> functions</web-resource-name>
> <!--        
> <url-pattern>dispatcher?action=admin</url-pattern>    Does 
> not work! -->
>         <url-pattern>/computers/admin/*</url-pattern>
>      </web-resource-collection>
>      <auth-constraint>
>         <!-- Anyone with one of the listed roles may access 
> this area -->
>         <role-name>admin</role-name>
>      </auth-constraint>
> 
>   <!-- HTTPS/SSL-->
>      <user-data-constraint>
>         <transport-guarantee>CONFIDENTIAL</transport-guarantee>
>      </user-data-constraint>
>   </security-constraint>
> 
> <login-config>
>      <auth-method>FORM</auth-method>
>    <form-login-config>
>     <form-login-page>dispatcher?action=adminLogin</form-login-page>
>    <form-error-page>dispatcher?action=adminLoginFail</form-error-page>
>   </form-login-config>
> </login-config>
> 
> To overcome this I had to hardcode the link in my webpage as: 
> <a href="/Computers/computers/admin/index.jsp">admin</a>
> 
> I wish to keep my navigation based on logical names. Is there 
> a work-around or solution to this problem?
> 
> 
> 
> Regards,
> Ronnie Choo
> Singapore
> 
> 
> 


Mime
View raw message