tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Gregor Schneider" <>
Subject j_security_check-behaviour - looking for workaround
Date Mon, 01 Dec 2008 12:15:37 GMT
Hi there,

we're running some websites which are heavily framed (unfortunately)
using IFrames.

Authorization is done via FormBased Auth using Tomcat's built-in

However, this is giving us some headaches when an application times out.

As you may know, j_security_check operates in the following way:

Pre-Condition: Authorization for web-app has timed out

- requested URL is sent to tomcat
- Tomcat delegates the request to j_security_check to authorize the request
- j_security_check stores the originally URL
- j_security_check forwards to a defined form to request userid / password
- if authorization is ok, j_security_check will forward to the url
which initially was requested.

Sounds good so far, hm?

However, if you have a webapp working with frames, this scenario does not work.

Imagine a webpage having this structure:

<some html here chaning the source of the iframe - a menue i.e.>
<iframe src="../../../index.htm">
<some more html there>

Now if the session times out, the user clicks on the menue, the url
requested is the source of the IFrame.
After being authorized by j_security_check, it's forwared to said url
with the consequences, that the menue (in this example) is missing,
also all the other html "wrapped around" the IFrame.

I know that using frames actually is a no-go in web-design, however,
due to budgetary reasons a complete re-design using CSS is not an

Now my question:

Does any of you have a clue how to workaround this problems?

My first thought was to generate a JavaScript on top of each page
making sure it's called within an IFrame, however, I dislike this.

My preferred solution would be that after performing j_security_check
always was to forward to "/index.html":

I tried to write a servlet that would use chaining and forward to
"/index.html", howver, j_security_check simply ignores that and
forwards to the url originally requested.

Now enlarge your personal karma and be so kind to post some
suggestions, please ;)


what's puzzlin' you, is the nature of my game
gpgp-fp: 79A84FA526807026795E4209D3B3FE028B3170B2
gpgp-key available @

To start a new topic, e-mail:
To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message