tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Adam Hardy <ahardy.str...@cyberspaceroad.com>
Subject servlet mappings and security constraints with j_security_check
Date Mon, 13 Oct 2003 16:26:21 GMT
I am getting the familiar status 400 - invalid direct reference, and yet 
I am absolutely not surfing to the login page myself.

This is the page I am on:

https://localhost:8443/mywebapp/registerdone.do

and this is the link I am using:

https://localhost:8443/mywebapp/private/editprofile.do

This mapping is protected by my security constraints (/private/) and so 
tomcat invokes the j_security_check form, and on submission tomcat gives 
me the 400 status invalid direct reference.

I have the login form and the login error form SSL encrypted.

It works fine for non-HTTPS links.

Here's the web.xml snippet:

   <security-constraint>
     <web-resource-collection>
       <web-resource-name>SSL 4 Login</web-resource-name>
       <url-pattern>/ssllogin.html</url-pattern>
       <url-pattern>/sslerror.html</url-pattern>
     </web-resource-collection>
     <user-data-constraint>
       <description>SSL required</description>
       <transport-guarantee>CONFIDENTIAL</transport-guarantee>
     </user-data-constraint>
   </security-constraint>
   <security-constraint>
     <web-resource-collection>
       <web-resource-name>Login</web-resource-name>
       <url-pattern>/private/*</url-pattern>
     </web-resource-collection>
     <auth-constraint>
       <role-name>user</role-name>
       <role-name>admin</role-name>
     </auth-constraint>
     <user-data-constraint>
       <description>SSL not required</description>
       <transport-guarantee>NONE</transport-guarantee>
     </user-data-constraint>
   </security-constraint>
   <login-config>
     <auth-method>FORM</auth-method>
     <realm-name>BlackSailRealm</realm-name>
     <form-login-config>
       <form-login-page>/ssllogin.html</form-login-page>
       <form-error-page>/sslerror.html</form-error-page>
     </form-login-config>
   </login-config>
   <security-role>
     <role-name>user</role-name>
   </security-role>
   <security-role>
     <role-name>admin</role-name>
   </security-role>

Does anyone know what I am doing wrong, or has seen this error too?

Thanks
Adam

-- 
struts 1.1 + tomcat 5.0.12 + java 1.4.2
Linux 2.4.20 RH9


---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org


Mime
View raw message