tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Amol Upadhye <>
Subject RE: Post request to 'j_security_check' after tomcat restart or se ssio n timeout produces error 400
Date Wed, 19 Apr 2006 08:09:07 GMT
Thanks much for your comments. I will try to debug more the tomcat shutdown


-----Original Message-----
From: David Delbecq [] 
Sent: Tuesday, April 18, 2006 7:41 PM
To: Tomcat Users List
Subject: Re: Post request to 'j_security_check' after tomcat restart or se
ssio n timeout produces error 400


First, you must understand in form based login, access to the form
should never be done directly, that's because the container can accept a
form login only if before the user tried to access an area requiring
authentification. In simple terms, you see the form because the
container has decided it required your credentials, not because you just
wanted to log in.

Now in your case, after a session expire, when the user submit the form,
tomcat just notice it gets an access to j_security_check while user
session (which has been reset) show no track of a previous attempt to
access a secure area needing authentification. The container then
concludes naturally it is an attempt at accessing directly the
j_security_check and just ignore the call, sending a 400.
At this step, tomcat has not saved the user/pass.

In your error handler you redirect to secure area. Then naturally,
tomcat now trigger the code requesting credential and show again the
login form.

So there is no solution to solve your problem, except perhaps increasing
session timeout to limit the number of 'show form - timeout - submit form'

The case of tomcat shutting down my be due to error are persisting the
sessions (See output at tomcat shutdown/startup and check for session
persistence errors)

David Delbecq
Amol Upadhye a écrit :

>Anybody know about the problem I have as described in below email?
>-----Original Message-----
>From: Amol Upadhye [] 
>Sent: Thursday, April 13, 2006 2:25 PM
>Subject: Post request to 'j_security_check' after tomcat restart or sessio
>timeout produces error 400 
>I am using Tomcat 5.0.28 and Form based authentication. 
>Here are steps to produce my problem,
>1. Access secured page -> tomcat forwards request to login page
>2. Restart tomcat server or wait till session expires, keep login page as
>is, do not close browser window.
>3. After tomcat restarts, with same login page try to login
>In this case even if login information is correct tomcat throws error 400. 
>This is because it looses the URL to which to forward to after
>What I want is to forward the request to the desired page (may be
>Is there a way to configure so that control is forwarded to the configured
>page in this case?
>Current I have Error 400 handler in which if requested URL is
>'j_security_check' then I redirect to the desired page (secured page). But
>tomcat somehow doesn't keep authenticated principal and again presents
>Any help is very much appreciated.

To unsubscribe, e-mail:
For additional commands, e-mail:

  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message