tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
Subject Re: Problem with form based JSP authentication using Firefox with Tomcat
Date Tue, 04 Sep 2007 19:17:55 GMT

Try putting all of the Cache-Control commands inline, comma separated:

<meta http-equiv="Cache-Control" 
<meta http-equiv="Pragma" content="no-cache">
<meta http-equiv="Expires" content="-1">

You can also set the headers:

response.setDateHeader("Expires", -1);

I'm not sure of the implications of using /login.jsp?error=true as an 
error page - though it was recently discussed on this list, you may wish 
to search the archives.

I usually place my login pages out of the way:


so they can't be accessed directly.


(tip: send plain text mail to avoid crazy formatting)

Luke McMahon wrote:
> Hi there, I'm new to the list, just having some trouble getting my authentication to
work with Firefox. I'm trying to protect access to a member area in my new website, and am
just using the built in form based security for now. I'm using Tomcat 6.0.14, IE7 and Firefox attempting to access the member area (/members/) the user is to be redirected
to /login.jsp. The error page is the same but with a parameter (/login.jsp?error=true). When
using IE7, all of this works just fine and after successful login, the user is sent to /members/When
using Firefox, when everything is freshly built it works the first time. If I then log out
(using session.invalidate() and being redirected to the home page) and log in again it stopsworking.
After a successful login the user is presented not with the /members/ page, but with the login
page again. Hitting refresh actually gives us the page we're after, so it seems to be caching
thelogin page 'as' the /members/ page.  ------------
------------------------------Here is a section from my web.xml:-------------------------------------------
 <security-constraint>   <display-name>Member Access</display-name>   <web-resource-collection>
   <web-resource-name>Member Access Area</web-resource-name>    <url-pattern>/members/*</url-pattern>
   <http-method>DELETE</http-method>    <http-method>GET</http-method>
   <http-method>POST</http-method>    <http-method>PUT</http-method>
  </web-resource-collection>   <auth-constraint>    <role-name>administrator</role-name>
   <role-name>member</role-name>    <role-name>student</role-name></auth-constraint>
 </security-constraint>  <login-config>   <auth-method>FORM</auth-method>
  <realm-name>Member Area</realm-name>   <form-login-config>    <form-login-page>/login.jsp</form-login-page>
   <form-error-page>/login.jsp?error=true</form-error-page>   </form-login-config>
 </login-config>  -----------------------------------------Here is my logout code:---------------------
> <% session.invalidate();response.sendRedirect("/"); %>   ----------------------------------------Here
is my login code:-----------------------------------------
> <form method="post" action='<%= response.encodeURL("j_security_check") %>' >
> <table border="0" cellspacing="5">
> <tr>
> <th align="right">Username:</th>
> <td align="left"><input type="text" name="j_username" /></td>
> </tr>
> <tr>
> <th align="right">Password:</th>
> <td align="left"><input type="password" name="j_password" /></td>
> </tr>
> <tr>
> <td align="right"><input type="submit" value="Log In" /></td>
> <td align="left"><input type="reset" /></td>
> </tr>
> </table></form> Note: I've tried putting the following code at the top of
my login.jsp and logout.jsp files but it doesn't seem to help:
> <%
> response.setHeader("Cache-Control","no-cache");
> response.setHeader("Cache-Control","no-store");
> response.setDateHeader("Expires", -1);
> response.setHeader("Pragma","no-cache");
> %> 
> Thanks very much for any assistance,
> Luke.        

View raw message