tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Tim Funk <funk...@joedog.org>
Subject Re: FORM Login Bypassed
Date Fri, 01 Aug 2003 16:51:39 GMT
Security constraints are imposed on the incoming url.

Query strings are not used in servlet mapping declarations.

-Tim


Ronnie wrote:
> Hi!
> 
> I have this web application using FORM login access but I am having problem directing
the navigation to the defined login page when user clicks on a secure link.
> 
> You see, I am using a DispatcherServlet as a navigation controller to direct users to
the correct page and the URL is coded as:
> 
>     <a href="dispatcher?action=admin">admin</a>
> 
> Where "dispatcher" is the URL name of the DispatcherServlet. In the servlet, "admin"
is translated to "/computers/admin/index.jsp" from values coded in web.xml.
> 
> Now when I declare the  protected url-pattern as "/computers/admin/*" as below, when
I click on the above link the login page is bypassed and I can access the admin index page
without logging in.
> 
> <security-constraint>
>      <web-resource-collection>
>         <web-resource-name>Administration functions</web-resource-name>
> <!--        <url-pattern>dispatcher?action=admin</url-pattern>    Does
not work! -->
>         <url-pattern>/computers/admin/*</url-pattern>
>      </web-resource-collection>
>      <auth-constraint>
>         <!-- Anyone with one of the listed roles may access this area -->
>         <role-name>admin</role-name>
>      </auth-constraint>
> 
>   <!-- HTTPS/SSL-->
>      <user-data-constraint>
>         <transport-guarantee>CONFIDENTIAL</transport-guarantee>
>      </user-data-constraint>
>   </security-constraint>
> 
> <login-config>
>      <auth-method>FORM</auth-method>
>    <form-login-config>
>     <form-login-page>dispatcher?action=adminLogin</form-login-page>
>    <form-error-page>dispatcher?action=adminLoginFail</form-error-page>
>   </form-login-config>
> </login-config>
> 
> To overcome this I had to hardcode the link in my webpage as: <a href="/Computers/computers/admin/index.jsp">admin</a>
> 
> I wish to keep my navigation based on logical names. Is there a work-around or solution
to this problem?
> 
> 
> 
> Regards,
> Ronnie Choo
> Singapore
> 
> 
> 


Mime
View raw message