tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Pid...@pidster.com>
Subject Re: j_security_check redirect after login
Date Fri, 09 Nov 2007 08:39:41 GMT
Nicholas Sushkin wrote:
> On Thursday 08 November 2007, you wrote: 
> 
>> The question I had was what happens when you directly request the login
>> form and successfully login.
> 
> Tomcat will give you an error page saying something along the lines "the 
> login page was accessed directly". It won't let you login successfully. 
> Tomcat does not know where to redirect you.
> 

Easiest way to prevent direct access of the login page is to put it
somewhere inaccessible, like "WEB-INF/login/form.jsp".  Tomcat
authentication valves will still forward to the page, but it won't be
available to request.


It still won't prevent attempts to access the submission URL
(j_security_check) directly, which causes the 'invalid direct reference
to login form' error that has been referred to, earlier in the thread.

This is usually the result of requesting a protected page, then not
submitting the form until session timeout has occurred, after which the
original saved request may have been purged.


There's another variation, where "/protected/resource/j_security_check"
is accessed as by GET and is assigned as the url of the saved request
which on restore, produces a 404.  I've seen this in our logs, but am
not sure how it occurs.


p

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message