tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: j_security_check
Date Tue, 02 Dec 2008 18:29:05 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Martin,

Martin Dubuc wrote:
> I finally managed to get the sessions to time out after 1 minute.

What did you have to change?

> Here is the security-constraint definition:
>     <security-constraint>
>         <web-resource-collection>
>             <web-resource-name>
>                 Page constraints for users
>             </web-resource-name>
>             <url-pattern>/index.html</url-pattern>
>             <url-pattern>/main.jsf</url-pattern>
>             <url-pattern>/stylesheet.css</url-pattern>
>             <url-pattern>/images/*</url-pattern>
>             <url-pattern>/logOut.jsf</url-pattern>
>         </web-resource-collection>
>         <auth-constraint>
>             <role-name>myrole</role-name>
>         </auth-constraint>

Does your login page attempt to display any of these files? Perhaps an
image or your stylesheet? If so, this isn't going to work properly and
you'll get a bunch of requests that all get sent to the login page after
a session timeout.

> Here is the access log:

Care to point out when the session expires?

> 192.168.0.110 - admin [02/Dec/2008:17:13:13 +0000] "POST
> /manager/html/sessions?path=/system HTTP/1.1" 200 5114

It looks like you wait for 15 minutes, here, and then there's another
request:

> 192.168.0.110 - admin [02/Dec/2008:17:28:01 +0000] "POST
> /manager/html/sessions?path=/system HTTP/1.1" 200 4436
> 192.168.0.110 - - [02/Dec/2008:17:28:04 +0000] "GET /sessionTimeout.jsf
> HTTP/1.1" 200 2614

Was this request for /sessionTimeout.jsf done from your javascript code,
or by you typing something into the URL bar of your browser?

> 192.168.0.110 - - [02/Dec/2008:17:28:04 +0000] "GET
> /a4j/s/3_2_2.SR1org/richfaces/renderkit/html/css/basic_classes.xcss/DATB/eAF7sqpgb-jyGdIAFrMEaw__.jsf
> HTTP/1.1" 200 6857
> 192.168.0.110 - - [02/Dec/2008:17:28:04 +0000] "GET
> /a4j/s/3_2_2.SR1org/richfaces/renderkit/html/css/extended_classes.xcss/DATB/eAF7sqpgb-jyGdIAFrMEaw__.jsf
> HTTP/1.1" 200 4134
> 192.168.0.110 - - [02/Dec/2008:17:28:04 +0000] "GET
> /a4j/g/3_2_2.SR1org/richfaces/renderkit/html/scripts/skinning.js.jsf
> HTTP/1.1" 200 1164

Are any of the above requests related to the problem you are observing?

> 192.168.0.110 - - [02/Dec/2008:17:28:04 +0000] "GET /favicon.ico HTTP/1.1"
> 200 21630
> 192.168.0.110 - - [02/Dec/2008:17:28:11 +0000] "POST /j_security_check
> HTTP/1.1" 400 1100

This is obviously where you get the 400 response. Which request resulted
in the login page being shown in the first place?

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkk1fmgACgkQ9CaO5/Lv0PCddQCgsXyX7KJ5gOZFn2xNeaPPxY3p
4Z0AoLbp8FYcs6B+lxx/W/Nl7vKRZTyP
=5oYE
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message