tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Ronnie" <lormee2...@yahoo.com.sg>
Subject FORM Login Bypassed
Date Fri, 01 Aug 2003 16:34:57 GMT
Hi!

I have this web application using FORM login access but I am having problem directing the
navigation to the defined login page when user clicks on a secure link.

You see, I am using a DispatcherServlet as a navigation controller to direct users to the
correct page and the URL is coded as:

    <a href="dispatcher?action=admin">admin</a>

Where "dispatcher" is the URL name of the DispatcherServlet. In the servlet, "admin" is translated
to "/computers/admin/index.jsp" from values coded in web.xml.

Now when I declare the  protected url-pattern as "/computers/admin/*" as below, when I click
on the above link the login page is bypassed and I can access the admin index page without
logging in.

<security-constraint>
     <web-resource-collection>
        <web-resource-name>Administration functions</web-resource-name>
<!--        <url-pattern>dispatcher?action=admin</url-pattern>    Does not
work! -->
        <url-pattern>/computers/admin/*</url-pattern>
     </web-resource-collection>
     <auth-constraint>
        <!-- Anyone with one of the listed roles may access this area -->
        <role-name>admin</role-name>
     </auth-constraint>

  <!-- HTTPS/SSL-->
     <user-data-constraint>
        <transport-guarantee>CONFIDENTIAL</transport-guarantee>
     </user-data-constraint>
  </security-constraint>

<login-config>
     <auth-method>FORM</auth-method>
   <form-login-config>
    <form-login-page>dispatcher?action=adminLogin</form-login-page>
   <form-error-page>dispatcher?action=adminLoginFail</form-error-page>
  </form-login-config>
</login-config>

To overcome this I had to hardcode the link in my webpage as: <a href="/Computers/computers/admin/index.jsp">admin</a>

I wish to keep my navigation based on logical names. Is there a work-around or solution to
this problem?



Regards,
Ronnie Choo
Singapore



Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message