tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Mike Curwen" <gb_...@gb-im.com>
Subject RE: FORM Login Bypassed
Date Fri, 01 Aug 2003 18:12:28 GMT
the sendRedirect() method is on the response object. Another method of
interest will be the encodeRedirectURL() so that non-cookie users can
still use your site.
 
Something like:

resource = "somepage/somewhere.jsp";
response.sendRedirect(response.encodeRedirectURL(resource));




> -----Original Message-----
> From: Ronnie [mailto:lormee2001@yahoo.com.sg] 
> Sent: Friday, August 01, 2003 11:59 AM
> To: Tomcat Users List
> Subject: Re: FORM Login Bypassed
> 
> 
> 
> ----- Original Message -----
> From: "Mike Curwen" <gb_dev@gb-im.com>
> To: "'Tomcat Users List'" <tomcat-user@jakarta.apache.org>
> Sent: Saturday, August 02, 2003 12:45 AM
> Subject: RE: FORM Login Bypassed
> 
> 
> > When your dispatcher does the translation, does it forward 
> or include 
> > the 'actual' resource ?  Meaning it takes place entirely 
> server-side ?
> 
> This is how I dispatched it:
> 
>       RequestDispatcher rd = request.getRequestDispatcher(resource);
> 
>       // Forward resource, resource is the URL. IE: 
> "/computers/admin/index.jsp"
>       try {
>          rd.forward(request, response);
>       } catch (ServletException e) {...}
> 
> > If you did a sendRedirect, that would then make the browser request 
> > the protected resource directly, which would invoke the 
> AUTH, if the 
> > AUTH is configured correctly. And it looks right to me.
> 
> How do you do a sendRedirect? Sorry, I'm still quite green in 
> servlet programming...
> 
> > What it sounds like is that once you are on the server-side (by 
> > requesting the un-protected /dispatcher resource) that any 
> server-side 
> > forwards or includes are not being authenticated.  I wasn't 
> aware that 
> > was the case.
> >
> > It works this way for filters though, but in the next servlet spec 
> > (2.4) we'll have filter mappings being honoured for forwards and 
> > includes as well (configurable).
> 
> Thanks alot for the help and info!
> 
> >
> > > -----Original Message-----
> > > From: Ronnie [mailto:lormee2001@yahoo.com.sg]
> > > Sent: Friday, August 01, 2003 11:35 AM
> > > To: tomcat-user@jakarta.apache.org
> > > Subject: FORM Login Bypassed
> > >
> > >
> > > Hi!
> > >
> > > I have this web application using FORM login access but I 
> am having 
> > > problem directing the navigation to the defined login 
> page when user 
> > > clicks on a secure link.
> > >
> > > You see, I am using a DispatcherServlet as a navigation 
> controller 
> > > to direct users to the correct page and the URL is coded as:
> > >
> > >     <a href="dispatcher?action=admin">admin</a>
> > >
> > > Where "dispatcher" is the URL name of the 
> DispatcherServlet. In the 
> > > servlet, "admin" is translated to 
> "/computers/admin/index.jsp" from 
> > > values coded in web.xml.
> > >
> > > Now when I declare the  protected url-pattern as 
> > > "/computers/admin/*" as below, when I click on the above link the 
> > > login page is bypassed and I can access the admin index 
> page without 
> > > logging in.
> > >
> > > <security-constraint>
> > >      <web-resource-collection>
> > >         <web-resource-name>Administration 
> > > functions</web-resource-name>
> > > <!--
> > > <url-pattern>dispatcher?action=admin</url-pattern>    Does
> > > not work! -->
> > >         <url-pattern>/computers/admin/*</url-pattern>
> > >      </web-resource-collection>
> > >      <auth-constraint>
> > >         <!-- Anyone with one of the listed roles may access this 
> > > area -->
> > >         <role-name>admin</role-name>
> > >      </auth-constraint>
> > >
> > >   <!-- HTTPS/SSL-->
> > >      <user-data-constraint>
> > >         <transport-guarantee>CONFIDENTIAL</transport-guarantee>
> > >      </user-data-constraint>
> > >   </security-constraint>
> > >
> > > <login-config>
> > >      <auth-method>FORM</auth-method>
> > >    <form-login-config>
> > >     
> <form-login-page>dispatcher?action=adminLogin</form-login-page>
> > >    
> <form-error-page>dispatcher?action=adminLoginFail</form-error-page>
> > >   </form-login-config>
> > > </login-config>
> > >
> > > To overcome this I had to hardcode the link in my webpage as: <a 
> > > href="/Computers/computers/admin/index.jsp">admin</a>
> > >
> > > I wish to keep my navigation based on logical names. Is there a 
> > > work-around or solution to this problem?
> > >
> > >
> > >
> > > Regards,
> > > Ronnie Choo
> > > Singapore
> > >
> > >
> > >
> >
> >
> > 
> ---------------------------------------------------------------------
> > To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> > For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
> >
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
> 


Mime
View raw message