tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Bill Faulk" <>
Subject Invalid direct reference from servlet with j_security_check
Date Tue, 10 Feb 2004 17:24:57 GMT
My original Tomcat application already had a login.jsp which POSTs to a
servlet which sets various session attributes after validating the user,
password, active flag, etc. Now, I've been asked to let some managers
create their own content which will be straight html, pdf's,
spreadsheets, etc. I want to use form authentication to do this. I was
able to set up a realm for SQL Server with no problems. My login.jsp is
now only called when protected resources are accessed. This login page
is NOT called directly anymore. The login page and any images on the
login.jsp page are all outside of the protected areas.

Unfortunately I now get the "Invalid direct reference to form login
page" error. Originally I tried have the servlet simply redirect to
j_security_check and received this error. Then I figured that perhaps a
form POST is actually required so I changed my code to use HttpClient
and literally http/post to j_security_check. This produces the same
error. If I intentionally pass a bad password to j_security_check then
the redirect to the error form works as I would expect. When the correct
user and password are passed to j_security_check the log records a
successful authentication but returns a status code of 400 for the
invalid direct reference error when the post to j_security_check is

A simple jsp with a form which posts directly to j_security_check
without a servlet will redirect the user to the protected content as
expected. Is what I am trying to do simply not possible? I've seen posts
where others have presumably done this but I have had no success.

I am running Tomcat 4.1.29 on Windows 2000 Server with a SQL Server 2000
database. I have the java 1.4.2 sdk installed.

My login.jsp posts to a servlet with the following code used to post to
j_security_check. username and password have been set to the request
parameters. This is not currently using encoding during testing.
Util.writeLog is just a class I have for debugging which does what it
sounds like it does.
... I'm using the following libraries from

import org.apache.commons.httpclient.*;
import org.apache.commons.httpclient.methods.*;


        HttpClient client = new HttpClient();
        PostMethod logPost = new PostMethod(req.getContextPath() +
        NameValuePair user = new NameValuePair("j_username", username);
        NameValuePair pass = new NameValuePair("j_password", password);
        Util.writeLog("user=" + username + ",pass=" + password);
        logPost.setRequestBody(new NameValuePair[] { user, pass });
        int statusCode = logPost.getStatusCode();
        Util.writeLog("status=" + statusCode + "," +

The status returned is 400 for the Invalid Direct Reference error so I
never get any further. I originally tried a simple redirect to
j_security_check with the same result. Is there a header I need to add?
Is there a cookie I need to set?

I could post my web.xml or server.xml but I don't think that will matter
since the authentication works if I use a simple login.jsp with no
servlet. My login.jsp just has the usual user and password in an html
form but also has code to check to make sure the database is up before
showing the login form. 

Am I going about this all wrong? Should I just chuck posting to the
servlet from my login.jsp and come up with another way to do what I

Any help would be appreciated.
Bill Faulk

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message