Return-Path: Delivered-To: apmail-tomcat-users-archive@www.apache.org Received: (qmail 64703 invoked from network); 9 Nov 2007 08:41:00 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2) by minotaur.apache.org with SMTP; 9 Nov 2007 08:41:00 -0000 Received: (qmail 47261 invoked by uid 500); 9 Nov 2007 08:40:36 -0000 Delivered-To: apmail-tomcat-users-archive@tomcat.apache.org Received: (qmail 47244 invoked by uid 500); 9 Nov 2007 08:40:36 -0000 Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Tomcat Users List" Delivered-To: mailing list users@tomcat.apache.org Received: (qmail 47233 invoked by uid 99); 9 Nov 2007 08:40:36 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 09 Nov 2007 00:40:36 -0800 X-ASF-Spam-Status: No, hits=-0.0 required=10.0 tests=SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (nike.apache.org: domain of p@pidster.com designates 87.106.82.221 as permitted sender) Received: from [87.106.82.221] (HELO s15243851.onlinehome-server.info) (87.106.82.221) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 09 Nov 2007 08:41:16 +0000 Received: (qmail 27909 invoked from network); 9 Nov 2007 08:40:18 +0000 Received: from 78-86-122-68.zone2.bethere.co.uk (HELO unknown-00-16-cb-98-22-67.config) (78.86.122.68) by s15243851.onlinehome-server.info with SMTP; 9 Nov 2007 08:40:18 +0000 Message-ID: <47341CCD.4030601@pidster.com> Date: Fri, 09 Nov 2007 08:39:41 +0000 From: Pid Reply-To: p@pidster.com Organization: Pid Inc User-Agent: Thunderbird 2.0.0.6 (Macintosh/20070728) MIME-Version: 1.0 To: Tomcat Users List Subject: Re: j_security_check redirect after login References: <1D5C148F9259BC47BC3CBD2F76ABA2059A60F7@email002.lsu.edu> <200711090043.16781.nsushkin@openfinance.com> In-Reply-To: <200711090043.16781.nsushkin@openfinance.com> X-Enigmail-Version: 0.95.5 OpenPGP: id=0927AE57 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Virus-Checked: Checked by ClamAV on apache.org Nicholas Sushkin wrote: > On Thursday 08 November 2007, you wrote: > >> The question I had was what happens when you directly request the login >> form and successfully login. > > Tomcat will give you an error page saying something along the lines "the > login page was accessed directly". It won't let you login successfully. > Tomcat does not know where to redirect you. > Easiest way to prevent direct access of the login page is to put it somewhere inaccessible, like "WEB-INF/login/form.jsp". Tomcat authentication valves will still forward to the page, but it won't be available to request. It still won't prevent attempts to access the submission URL (j_security_check) directly, which causes the 'invalid direct reference to login form' error that has been referred to, earlier in the thread. This is usually the result of requesting a protected page, then not submitting the form until session timeout has occurred, after which the original saved request may have been purged. There's another variation, where "/protected/resource/j_security_check" is accessed as by GET and is assigned as the url of the saved request which on restore, produces a 404. I've seen this in our logs, but am not sure how it occurs. p --------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org For additional commands, e-mail: users-help@tomcat.apache.org