tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Propes, Barry L " <barry.l.pro...@citi.com>
Subject RE: that old problem - Invalid direct reference to form login page
Date Tue, 15 Apr 2008 14:59:39 GMT
you'd be surprised. I've got about 130 users on an app here, and we require them to change
their password every 90 days.

There's about 9-10 people who ALWAYS get flagged, but from THEIR machine! One girl cleared
out her cache and it worked. The rest of them? We had them clear out their disk cache, their
temp files, reboot, everything, and they still get this.

And the odd thing is, I added a second page with the same params to try and "fool Tomcat,"
to no avail. Strangely enough though, they can appropriately get to other files and pages
in the secure realm, just not that one.

So I send those people a non-protected link and let them change it.

One thing I didn't try which probably would make zero difference is dropping a package and
then reimporting it and rebuilding. Like I said, I'm sure it wouldn't help, but I don't know
why some people could get there and others not, and a couple were helped by clearing browser
cache and others still not.

-----Original Message-----
From: Michael Teter [mailto:mt.devlist@gmail.com]
Sent: Tuesday, April 15, 2008 6:30 AM
To: Post-to Tomcat Users
Subject: that old problem - Invalid direct reference to form login page


Howdy.

I've just spent two hours Googling, Yahooing, and searching the Tomcat list
for a fix for this problem:

PROBLEM (with steps leading to)

I attempt to access a private page (myview.jsp)
Tomcat 5.5 properly sends me to login.jsp
I enter my username/password, submit, and my JNDIRealm LDAP lookup is made
I get the error page:
  HTTP Status 400 - Invalid direct reference to form login page

This is a pretty simple case.  Everything I've seen on forums related to
this problem focus on the idea that the user has directly requested the
login page.  I absolutely haven't done that.

I've tried adding some stuff to the top of the login.jsp (as per a
suggestion on one of the Sun forums) to send the request elsewhere if the
session exists.  I've explored a lot of things, but it still makes no sense
to me.

My best guess is that there's something wrong with my Realm definition in
server.xml, or in my security stuff in web.xml.  So for reference, here are
the interesting bits of each:

----- server.xml ----
        <Context path="/ui2"
             docBase="C:\work\ui2"
             privileged="true"
             reloadable="true"
             cookies="true"
             debug="true">
          <Realm className          = "org.apache.catalina.realm.JNDIRealm"
                 debug              = "99"
                 connectionURL      = "ldap://192.168.223.129:3268"
                 connectionName     = "vm2003\ldapqueryuser"
                 connectionPassword = "supersecret"
                 referrals          = "follow"
                 userBase           = "dc=vm2003,dc=local"
                 userSearch         = "(sAMAccountName={0})"
                 userSubtree        = "true"
                 digest             = "MD5"
                 roleBase           = "dc=vm2003,dc=local"
                 roleName           = "cn"
                 roleSubtree        = "true"
                 roleSearch         = "(member={0})"
            /> <!-- end of realm -->

         ...
      /> <!-- end of context -->

----- web.xml ----

...
    <security-constraint>
        <web-resource-collection>
            <web-resource-name>Protected Area</web-resource-name>
            <url-pattern>/*</url-pattern>
        </web-resource-collection>
        <auth-constraint>
            <role-name>ui2users</role-name>
        </auth-constraint>
    </security-constraint>

    <login-config>
        <auth-method>FORM</auth-method>
        <form-login-config>
            <form-login-page>/login.jsp</form-login-page>
            <form-error-page>/login-failure.jsp</form-error-page>
        </form-login-config>
    </login-config>

    <security-role>
        <role-name>ui2users</role-name>
    </security-role>

 ...

__________________

I've spent time in book on safari.oreilly, reading countless tutorials and
docs online, and I'm at a dead end.

I surely hope someone see's where I've made a mistake.

Thanks,
Michael

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message