Return-Path: <funkman@joedog.org>
Mailing-List: contact tomcat-user-help@jakarta.apache.org; run by ezmlm
Delivered-To: mailing list tomcat-user@jakarta.apache.org
Received: (qmail 68979 invoked from network); 1 Aug 2003 16:51:54 -0000
Received: from sid.armstrong.com (204.74.20.252)
  by daedalus.apache.org with SMTP; 1 Aug 2003 16:51:54 -0000
Received: from joedog.org (fnord.armstrong.com [204.74.20.11])
	by sid.armstrong.com (8.12.8p1/8.12.8) with ESMTP id h71GidM0010604
	for <tomcat-user@jakarta.apache.org>; Fri, 1 Aug 2003 11:44:40 -0500
Message-ID: <3F2A9A9B.1010409@joedog.org>
Date: Fri, 01 Aug 2003 12:51:39 -0400
From: Tim Funk <funkman@joedog.org>
Organization: Human being
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US;
 rv:1.3) Gecko/20030312
X-Accept-Language: en-us, en, es-mx, de, sv
MIME-Version: 1.0
To: Tomcat Users List <tomcat-user@jakarta.apache.org>
Subject: Re: FORM Login Bypassed
References: <00a601c3584a$dbcdaee0$0100a8c0@ronhome>
In-Reply-To: <00a601c3584a$dbcdaee0$0100a8c0@ronhome>
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
X-Spam-Rating: daedalus.apache.org 1.6.2 0/1000/N

Security constraints are imposed on the incoming url.

Query strings are not used in servlet mapping declarations.

-Tim


Ronnie wrote:
> Hi!
> 
> I have this web application using FORM login access but I am having problem directing the navigation to the defined login page when user clicks on a secure link.
> 
> You see, I am using a DispatcherServlet as a navigation controller to direct users to the correct page and the URL is coded as:
> 
>     <a href="dispatcher?action=admin">admin</a>
> 
> Where "dispatcher" is the URL name of the DispatcherServlet. In the servlet, "admin" is translated to "/computers/admin/index.jsp" from values coded in web.xml.
> 
> Now when I declare the  protected url-pattern as "/computers/admin/*" as below, when I click on the above link the login page is bypassed and I can access the admin index page without logging in.
> 
> <security-constraint>
>      <web-resource-collection>
>         <web-resource-name>Administration functions</web-resource-name>
> <!--        <url-pattern>dispatcher?action=admin</url-pattern>    Does not work! -->
>         <url-pattern>/computers/admin/*</url-pattern>
>      </web-resource-collection>
>      <auth-constraint>
>         <!-- Anyone with one of the listed roles may access this area -->
>         <role-name>admin</role-name>
>      </auth-constraint>
> 
>   <!-- HTTPS/SSL-->
>      <user-data-constraint>
>         <transport-guarantee>CONFIDENTIAL</transport-guarantee>
>      </user-data-constraint>
>   </security-constraint>
> 
> <login-config>
>      <auth-method>FORM</auth-method>
>    <form-login-config>
>     <form-login-page>dispatcher?action=adminLogin</form-login-page>
>    <form-error-page>dispatcher?action=adminLoginFail</form-error-page>
>   </form-login-config>
> </login-config>
> 
> To overcome this I had to hardcode the link in my webpage as: <a href="/Computers/computers/admin/index.jsp">admin</a>
> 
> I wish to keep my navigation based on logical names. Is there a work-around or solution to this problem?
> 
> 
> 
> Regards,
> Ronnie Choo
> Singapore
> 
> 
>