tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <>
Subject Re: invalid reference to login form
Date Fri, 25 May 2007 21:23:20 GMT
Hash: SHA1


Propes, Barry L wrote:
> They oddly enough can access certain pages within the directory of 
> this application, by logging in appropriately through the form. 
> However, another file in the same directory gives them this error - 
> "Invalid Direct reference to Form Login page."

That usually means that Tomcat thinks the user has tried to send a
j_username and j_password to /j_security_check without having previously
been challenged by a login page.

My understanding is that Tomcat implements container-managed
authentication somewhat like this:

1. Request for protected resource comes in (assume no creds, yet)
2. Tomcat creates a session, associates it with a "wants login" request,
   stores the original request, and displays the login page
3. Request to /j_security_check comes in, auth is performed,
   original request is then sent to the application

This works relatively well in most situations. However, if enough time
goes by between #2 and #3, the session times out and TC loses the "wants
login" notation (whatever that means), as well as the original request.

If you then try to login, TC basically says "I never asked this guy to
login, so this must be an invalid login", and you get this message. :(

> on that note, it's also showing "The request sent by the client was 
> syntactically incorrect."

I think that's a red herring, actually. TC is probably liberally using
an HTTP status code that could mean lots of different things.

> I'm having some users get this error reaching a portion of the 
> secured section of my app.

Is it always the same users? Is it always the same place?

> Does anyone know what could be at work here causing this?

I think you might get this error if you don't run the your form action
(j_security_check) through HttpServletResponse.encodeURL and the user is
not using cookies. I think this will basically prevent logins for
cookieless people (but I could be remembering wrong).

If you run out of patience (as I did) with Tomcat's authentication, you
can look at securityfilter ( which
emulates container-managed authentication and authorization and allows
things like logging-in directly without first being challenged by the

- -chris

Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla -


To start a new topic, e-mail:
To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message