Return-Path: Mailing-List: contact tomcat-user-help@jakarta.apache.org; run by ezmlm Delivered-To: mailing list tomcat-user@jakarta.apache.org Received: (qmail 89758 invoked from network); 1 Aug 2003 16:58:55 -0000 Received: from smtp017.mail.yahoo.com (216.136.174.114) by daedalus.apache.org with SMTP; 1 Aug 2003 16:58:55 -0000 Received: from unknown (HELO ronhome) (lormee2001@203.81.46.130 with login) by smtp.mail.vip.sc5.yahoo.com with SMTP; 1 Aug 2003 16:58:56 -0000 Message-ID: <00e101c3584e$2f0c3b50$0100a8c0@ronhome> From: "Ronnie" To: "Tomcat Users List" References: <003401c3584c$427b6e10$6f00000a@BALTHAZAR> Subject: Re: FORM Login Bypassed Date: Sat, 2 Aug 2003 00:58:43 +0800 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 X-Spam-Rating: daedalus.apache.org 1.6.2 0/1000/N ----- Original Message ----- From: "Mike Curwen" To: "'Tomcat Users List'" Sent: Saturday, August 02, 2003 12:45 AM Subject: RE: FORM Login Bypassed > When your dispatcher does the translation, does it forward or include > the 'actual' resource ? Meaning it takes place entirely server-side ? This is how I dispatched it: RequestDispatcher rd = request.getRequestDispatcher(resource); // Forward resource, resource is the URL. IE: "/computers/admin/index.jsp" try { rd.forward(request, response); } catch (ServletException e) {...} > If you did a sendRedirect, that would then make the browser request the > protected resource directly, which would invoke the AUTH, if the AUTH is > configured correctly. And it looks right to me. How do you do a sendRedirect? Sorry, I'm still quite green in servlet programming... > What it sounds like is that once you are on the server-side (by > requesting the un-protected /dispatcher resource) that any server-side > forwards or includes are not being authenticated. I wasn't aware that > was the case. > > It works this way for filters though, but in the next servlet spec (2.4) > we'll have filter mappings being honoured for forwards and includes as > well (configurable). Thanks alot for the help and info! > > > -----Original Message----- > > From: Ronnie [mailto:lormee2001@yahoo.com.sg] > > Sent: Friday, August 01, 2003 11:35 AM > > To: tomcat-user@jakarta.apache.org > > Subject: FORM Login Bypassed > > > > > > Hi! > > > > I have this web application using FORM login access but I am > > having problem directing the navigation to the defined login > > page when user clicks on a secure link. > > > > You see, I am using a DispatcherServlet as a navigation > > controller to direct users to the correct page and the URL is > > coded as: > > > > admin > > > > Where "dispatcher" is the URL name of the DispatcherServlet. > > In the servlet, "admin" is translated to > > "/computers/admin/index.jsp" from values coded in web.xml. > > > > Now when I declare the protected url-pattern as > > "/computers/admin/*" as below, when I click on the above link > > the login page is bypassed and I can access the admin index > > page without logging in. > > > > > > > > Administration > > functions > > > > /computers/admin/* > > > > > > > > admin > > > > > > > > > > CONFIDENTIAL > > > > > > > > > > FORM > > > > dispatcher?action=adminLogin > > dispatcher?action=adminLoginFail > > > > > > > > To overcome this I had to hardcode the link in my webpage as: > > admin > > > > I wish to keep my navigation based on logical names. Is there > > a work-around or solution to this problem? > > > > > > > > Regards, > > Ronnie Choo > > Singapore > > > > > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org > For additional commands, e-mail: tomcat-user-help@jakarta.apache.org >