tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Ronnie" <lormee2...@yahoo.com.sg>
Subject Re: FORM Login Bypassed
Date Fri, 01 Aug 2003 16:58:43 GMT

----- Original Message -----
From: "Mike Curwen" <gb_dev@gb-im.com>
To: "'Tomcat Users List'" <tomcat-user@jakarta.apache.org>
Sent: Saturday, August 02, 2003 12:45 AM
Subject: RE: FORM Login Bypassed


> When your dispatcher does the translation, does it forward or include
> the 'actual' resource ?  Meaning it takes place entirely server-side ?

This is how I dispatched it:

      RequestDispatcher rd = request.getRequestDispatcher(resource);

      // Forward resource, resource is the URL. IE:
"/computers/admin/index.jsp"
      try {
         rd.forward(request, response);
      } catch (ServletException e) {...}

> If you did a sendRedirect, that would then make the browser request the
> protected resource directly, which would invoke the AUTH, if the AUTH is
> configured correctly. And it looks right to me.

How do you do a sendRedirect? Sorry, I'm still quite green in servlet
programming...

> What it sounds like is that once you are on the server-side (by
> requesting the un-protected /dispatcher resource) that any server-side
> forwards or includes are not being authenticated.  I wasn't aware that
> was the case.
>
> It works this way for filters though, but in the next servlet spec (2.4)
> we'll have filter mappings being honoured for forwards and includes as
> well (configurable).

Thanks alot for the help and info!

>
> > -----Original Message-----
> > From: Ronnie [mailto:lormee2001@yahoo.com.sg]
> > Sent: Friday, August 01, 2003 11:35 AM
> > To: tomcat-user@jakarta.apache.org
> > Subject: FORM Login Bypassed
> >
> >
> > Hi!
> >
> > I have this web application using FORM login access but I am
> > having problem directing the navigation to the defined login
> > page when user clicks on a secure link.
> >
> > You see, I am using a DispatcherServlet as a navigation
> > controller to direct users to the correct page and the URL is
> > coded as:
> >
> >     <a href="dispatcher?action=admin">admin</a>
> >
> > Where "dispatcher" is the URL name of the DispatcherServlet.
> > In the servlet, "admin" is translated to
> > "/computers/admin/index.jsp" from values coded in web.xml.
> >
> > Now when I declare the  protected url-pattern as
> > "/computers/admin/*" as below, when I click on the above link
> > the login page is bypassed and I can access the admin index
> > page without logging in.
> >
> > <security-constraint>
> >      <web-resource-collection>
> >         <web-resource-name>Administration
> > functions</web-resource-name>
> > <!--
> > <url-pattern>dispatcher?action=admin</url-pattern>    Does
> > not work! -->
> >         <url-pattern>/computers/admin/*</url-pattern>
> >      </web-resource-collection>
> >      <auth-constraint>
> >         <!-- Anyone with one of the listed roles may access
> > this area -->
> >         <role-name>admin</role-name>
> >      </auth-constraint>
> >
> >   <!-- HTTPS/SSL-->
> >      <user-data-constraint>
> >         <transport-guarantee>CONFIDENTIAL</transport-guarantee>
> >      </user-data-constraint>
> >   </security-constraint>
> >
> > <login-config>
> >      <auth-method>FORM</auth-method>
> >    <form-login-config>
> >     <form-login-page>dispatcher?action=adminLogin</form-login-page>
> >    <form-error-page>dispatcher?action=adminLoginFail</form-error-page>
> >   </form-login-config>
> > </login-config>
> >
> > To overcome this I had to hardcode the link in my webpage as:
> > <a href="/Computers/computers/admin/index.jsp">admin</a>
> >
> > I wish to keep my navigation based on logical names. Is there
> > a work-around or solution to this problem?
> >
> >
> >
> > Regards,
> > Ronnie Choo
> > Singapore
> >
> >
> >
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>


Mime
View raw message