tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
Subject Re: j_security_check redirect after login
Date Fri, 09 Nov 2007 08:39:41 GMT
Nicholas Sushkin wrote:
> On Thursday 08 November 2007, you wrote: 
>> The question I had was what happens when you directly request the login
>> form and successfully login.
> Tomcat will give you an error page saying something along the lines "the 
> login page was accessed directly". It won't let you login successfully. 
> Tomcat does not know where to redirect you.

Easiest way to prevent direct access of the login page is to put it
somewhere inaccessible, like "WEB-INF/login/form.jsp".  Tomcat
authentication valves will still forward to the page, but it won't be
available to request.

It still won't prevent attempts to access the submission URL
(j_security_check) directly, which causes the 'invalid direct reference
to login form' error that has been referred to, earlier in the thread.

This is usually the result of requesting a protected page, then not
submitting the form until session timeout has occurred, after which the
original saved request may have been purged.

There's another variation, where "/protected/resource/j_security_check"
is accessed as by GET and is assigned as the url of the saved request
which on restore, produces a 404.  I've seen this in our logs, but am
not sure how it occurs.


To start a new topic, e-mail:
To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message