tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From David Smith <>
Subject Re: [TC 5.0.25] Posting directly to j_security_check
Date Thu, 15 Nov 2007 16:36:24 GMT
j_security_check should never be directly referenced.  Clients should be 
requesting a secured resource.  Tomcat then saves the request and 
forwards the client to the login page (specified in WEB-INF/web.xml) 
which in turn submit's authentication information to j_security_check.  
Then tomcat restore's the original request and forwards the client to 
the originally requested resource.  This is all per the servlet spec.

In otherwords, don't have anyone attempt to use your login page directly 
as it won't work.  When the login page hits j_security_check, tomcat 
won't have a stored request, assume an old, timed-out login attempt and 
respond as you've described.


Rob Hunt wrote:

>I have a form on a page that posts directly to j_security_check:
>    <form method="post" action="">
>        <input type="text" name="j_username" />
>        <input type="password" name="j_password" />
>    </form>
>When the POST request is received by, it kicks back a 408
>response code and this message:
>"The time allowed for the login process has been exceeded. If you wish to
>continue you must either click back twice and re-click the link you
>requested or close and re-open your browser"
>Now I know it's choking because no session has been established.  But why
>doesn't j_security_check authenticate first and then attempt to set
>session/cookies?  Does anyone have a FORM based login workaround for this?
>Second question, what source module implements j_security_check?

To start a new topic, e-mail:
To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message