tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Steven Rock" <st...@ecirkit.org>
Subject Form based authentication giving 400 error - strange behavior
Date Wed, 02 May 2007 18:29:55 GMT
Sorry for the long explanation but this is a tricky problem that has me
stumped. I hope someone else has experienced this. 

 

 

We are having a strange problem with FORM based authentication that we can't
figure out. It seems to be an issue with the tomcat
org.apache.catalina.authenticator.FormAuthenticator class. Can you please
pass this on to your tech team to find a solution?

 

Use Case #1: Works fine.

 

.         Type in protected resource into browser URL bar. Click enter key.
( http://mysite.com/app/mypage.jsp )

.         We are redirected to the login page. Enter username, password. Hit
enter.

.         We are taken to the original URL that we requested.

 

Use Case #2: Fails all the time

.         Visit a user's profile page. (profile.jsp). This is an unprotected
resource so you can view without loging in: ( http://
<http://%20mysite.com/app/Profile.jsp?name=ROCK>
mysite.com/app/Profile.jsp?name=ROCK )

.         Click on any action link or button on the page. These are all
disabled in "not logged in" mode. A dialog pop-up asks the user if they want
to login. 

.         Using javascript a protected resource URL is generated and then
(window.location.href = newAddress ) is set to the protected resource
string: (http://www.mysite.com/app/a.lookup?name=ROCK ). This URL is mapped
to a secured servlet.

.         The login page is presented to the user with the
http://www.mysite.com/app/a.lookup?name=ROCK URL showing in the browser url
bar.

.         Enter user/pass and click login -> This generates a 400 error with
message: Invalid direct reference to form login page. This URL is now
displayed in the URL bar: http://www.mysite.com/app/j_security_check

 

HTTP Status 400 - Invalid direct reference to form login page

  _____  

type Status report

message Invalid direct reference to form login page

description The request sent by the client was syntactically incorrect
(Invalid direct reference to form login page).

  _____  

Apache Tomcat/5.5.20

 

 

Use Case #2 Extended:

            Here is the real weird behavior.

.         After following all the steps in Use Case #2,  type in
http://mysite.com/app/mypage.jsp on the 400 error page and hit enter.

.         You are redirected back to the login page. Make sure username and
password are empty. Hit enter again. 

.         The control page NOW loads. The first login in user case #2
worked, but it didn't perform the redirect properly.

 

 

After adding these to log4j.xml I can see the problem from the log file, but
am not sure what is causing it. 

 

<category name="org.apache.catalina.authenticator">

      <priority value="DEBUG"/>

   </category>

   

 

   <category name="org.jboss.security.auth.spi">

      <priority value="DEBUG"/>

   </category>

   

 

Here is the log output for case 1:

Note the blue line, this is key in showing why case 2 is failing: 

 

11:00:01,783 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase]
Calling authenticate()

11:00:01,783 INFO  [STDOUT] 11:00:01,783 INFO
[com.mysite.web.MysiteSessionContextListener] sessionCreated(): Starting

11:00:01,783 INFO  [STDOUT] 11:00:01,783 INFO
[com.mysite.web.MysiteSessionContextListener] sessionCreated(): Starting

11:00:01,783 INFO  [STDOUT] 11:00:01,783 INFO
[com.mysite.web.MysiteSessionContextListener] sessionCreated(): Ending

11:00:01,783 INFO  [STDOUT] 11:00:01,783 INFO
[com.mysite.web.MysiteSessionContextListener] sessionCreated(): Ending

11:00:01,783 DEBUG [org.apache.catalina.authenticator.FormAuthenticator]
Save request in session '9C4BD2BD9D4E092A3B2CB56B39FC81FD'

11:00:01,783 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase]
Failed authenticate() test

11:00:01,955 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase]
Security checking request GET /mysite/captcha

11:00:01,955 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase]
Not subject to any constraint

11:00:08,939 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase]
Security checking request POST /mysite/j_security_check

11:00:08,939 DEBUG [org.apache.catalina.authenticator.FormAuthenticator]
Authenticating username 'qq'

11:00:08,939 DEBUG [org.apache.catalina.authenticator.FormAuthenticator]
Authentication of 'qq' was successful

11:00:08,939 DEBUG [org.apache.catalina.authenticator.FormAuthenticator]
Redirecting to original '/mysite/'

11:00:08,939 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase]
Failed authenticate() test ??/mysite/j_security_check

11:00:08,955 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase]
Security checking request GET /mysite/

11:00:08,955 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase]
Calling hasUserDataPermission()

11:00:08,955 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase]
Calling authenticate()

11:00:08,955 DEBUG [org.apache.catalina.authenticator.FormAuthenticator]
Restore request from session '9C4BD2BD9D4E092A3B2CB56B39FC81FD'

11:00:08,955 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase]
Authenticated 'qq' with type 'FORM'

11:00:08,955 DEBUG [org.apache.catalina.authenticator.FormAuthenticator]
Proceed to restored request

11:00:08,955 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase]
Calling accessControl()

11:00:08,955 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase]
Successfully passed all security constraints

11:00:09,017 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase]
Security checking request GET /mysite/CP.jsp

11:00:09,017 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] We
have cached auth type FORM for principal GenericPrincipal[qq(user,)]

11:00:09,017 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase]
Calling hasUserDataPermission()

11:00:09,017 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase]
Calling authenticate()

11:00:09,017 DEBUG [org.apache.catalina.authenticator.FormAuthenticator]
Already authenticated 'qq'

11:00:09,017 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase]
Calling accessControl()

11:00:09,017 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase]
Successfully passed all security constraints

11:00:09,017 INFO  [STDOUT] 11:00:09,017 DEBUG
[com.mysite.ejb.bean.MysiteUserBean] findUserByEmail(): Starting

11:00:09,017 INFO  [STDOUT] 11:00:09,017 DEBUG
[com.mysite.ejb.bean.MysiteUserBean] findUserByEmail(): Starting

11:00:09,017 INFO  [STDOUT] 11:00:09,017 DEBUG
[com.mysite.ejb.bean.MysiteUserBean] getConfigValue(): Starting: config key
= UserDBUtils_findUserByEmail

 

 Here is the output for case #2:

 

17:52:22,709 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase]
Security checking request GET /mysite/a.lookup

17:52:22,709 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase]
Calling hasUserDataPermission()

17:52:22,709 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase]
Calling authenticate()

17:52:22,709 DEBUG [org.apache.catalina.authenticator.FormAuthenticator]
Save request in session '923F8EA1684EBEB574BD0498B66B807C'

17:52:22,740 INFO  [STDOUT] 17:52:22,740 INFO
[com.mysite.web.MysiteSessionContextListener] sessionDestroyed(): Starting

17:52:22,772 INFO  [STDOUT] 17:52:22,740 INFO
[com.mysite.web.MysiteSessionContextListener] sessionDestroyed(): Starting

17:52:22,772 INFO  [STDOUT] 17:52:22,772 INFO
[com.mysite.web.MysiteSessionContextListener] sessionDestroyed(): Ending

17:52:22,772 INFO  [STDOUT] 17:52:22,772 INFO
[com.mysite.web.MysiteSessionContextListener] sessionDestroyed(): Ending

17:52:22,787 DEBUG [org.jboss.security.plugins.JaasSecurityManager.Mysite]
CallbackHandler:
org.jboss.security.auth.callback.SecurityAssociationHandler@6d65fd

17:52:22,787 DEBUG [org.jboss.security.plugins.JaasSecurityManagerService]
Created securityMgr=org.jboss.security.plugins.JaasSecurityManager@4301c9

17:52:22,787 DEBUG [org.jboss.security.plugins.JaasSecurityManager.Mysite]
CachePolicy set to: org.jboss.util.TimedCachePolicy@12a375b

17:52:22,787 DEBUG [org.jboss.security.plugins.JaasSecurityManagerService]
setCachePolicy, c=org.jboss.util.TimedCachePolicy@12a375b

17:52:22,787 DEBUG [org.jboss.security.plugins.JaasSecurityManagerService]
Added Mysite, org.jboss.security.plugins.SecurityDomainContext@986c47 to map

17:52:22,787 INFO  [STDOUT] 17:52:22,787 ERROR [AppLogin.jsp] Caught Err:
java.lang.IllegalStateException: getAttribute: Session already invalidated

17:52:22,819 INFO  [STDOUT] 17:52:22,819 DEBUG [AppLogin.jsp] principle =
null: autoLogin = false: remoteUser = null

17:52:22,819 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase]
Failed authenticate() test

17:52:22,928 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase]
Security checking request GET /mysite/js/loginPage/loginPage1913M.js

17:52:22,928 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase]
Not subject to any constraint

17:52:22,960 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase]
Security checking request GET
/mysite/js/widget/popup/calendar/epoch_classes.js

17:52:22,960 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase]
Not subject to any constraint

17:52:23,007 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase]
Security checking request GET /mysite/captcha

17:52:23,007 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase]
Not subject to any constraint

17:52:23,477 INFO  [STDOUT] 17:52:23,477 INFO
[com.mysite.web.MysiteSessionContextListener] sessionCreated(): Starting

17:52:23,477 INFO  [STDOUT] 17:52:23,477 INFO
[com.mysite.web.MysiteSessionContextListener] sessionCreated(): Starting

17:52:23,477 INFO  [STDOUT] 17:52:23,477 INFO
[com.mysite.web.MysiteSessionContextListener] sessionCreated(): Ending

17:52:23,477 INFO  [STDOUT] 17:52:23,477 INFO
[com.mysite.web.MysiteSessionContextListener] sessionCreated(): Ending

17:52:29,163 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase]
Security checking request POST /mysite/j_security_check

17:52:29,163 DEBUG [org.apache.catalina.authenticator.FormAuthenticator]
Authenticating username 'qq'

17:52:29,178 DEBUG [org.apache.catalina.authenticator.FormAuthenticator]
Authentication of 'qq' was successful

17:52:29,178 DEBUG [org.apache.catalina.authenticator.FormAuthenticator]
Redirecting to original 'null'       ********** HERE IS THE PROLEM

17:52:29,178 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase]
Failed authenticate() test ??/mysite/j_security_check

 

 

As you can see from the log files, Case #2 fails because the original
protected resource URL request was lost. 

 

 

 

This is the javascript function called when the login page submit is
clicked. 

 

function submitLogin(){

            var u = "";

            var p = "";

            var frm = getObject("frmLogin");

            try {

                  username = $("j_username").value,

                  password = $("j_password").value

            } catch (ex){

                  showMsg("Login Error", "Login email / password not
given.", true);

                  return;

            }           

            

            if(getObject('rememberMe').checked == true){

                  ajax.JSON_post( '/' + path + '/RememberMe.ucmd',

                        {

                              type : 'RememberMe',

                              username: username,

                              password: password

                        },

                        function (connectionInstance){

                              var response =
connectionInstance.responseObject;

                              if(response.success == true){

                              

                                    // create cookies here

                                    var expires = new Date();

                              expires.setTime(expires.getTime() + 24 * 30 *
60 * 60 * 1000); // sets it for approx 30 days.

                              setCookie("emailCookie", username, expires,
"");

                                    setCookie("passCookie", password,
expires, "");

                                    

                                    frm.submit();

                              } else {

                                    showMsg('Login Erorr',
response.errorMsg, true);

                              }

                        },

                        function (connectionInstance){

                        

                        }

                  );

            } else {

                  frm.submit();

            }

      }

 

 

 

We are using J2EE Form based Authentication. Under
jboss/server/default/conf/login-config.xml I have defined:

 

<application-policy name="Mysite">

      <authentication>

        <login-module
code="org.jboss.security.auth.spi.DatabaseServerLoginModule"

           flag="required">

          <module-option name="dsJndiName">java:/MysiteDS</module-option>

          <module-option name="principalsQuery">

            select passwd from user where email=?

          </module-option>

          <module-option name="rolesQuery">

            select role_name,'Roles' from user_role

            WHERE user_role.email=? 

          </module-option>

          <module-option name =
"unauthenticatedIdentity">AnonymousUser</module-option>

          <module-option name="debug">true</module-option>

        </login-module>

      </authentication>

    </application-policy> 

 

And in mysite project's web.xml file I have:

 

// This is repeated for the many resources we have protected, this is just
one example. 

<security-constraint>

            <web-resource-collection>

                  <web-resource-name>Protected Area</web-resource-name>

                  <!-- Define the context-relative URL(s) to be protected
-->

                  <url-pattern>/mypage.jsp</url-pattern>

                  <http-method>DELETE</http-method>

                  <http-method>GET</http-method>

                  <http-method>POST</http-method>

                  <http-method>PUT</http-method>

            </web-resource-collection>

            <auth-constraint>

                  <role-name>user</role-name>

            </auth-constraint>

            <user-data-constraint>

                  <transport-guarantee>NONE</transport-guarantee>

            </user-data-constraint>

      </security-constraint>

      

<!-- Default login configuration uses form-based authentication -->

 

<login-config>

      <auth-method>FORM</auth-method>

      <realm-name>Example Form-Based Authentication Area</realm-name>

      <form-login-config>

      <form-login-page>/jsp/login/AppLogin.jsp</form-login-page>

      <form-error-page>/jsp/LoginError.login?badLogin=1</form-error-page>


      </form-login-config>

</login-config>

 

 


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message