tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From samsina <sams...@gmail.com>
Subject Re: Tomcat 6.x security-constraint redirection problem... please help!
Date Wed, 14 Jan 2009 21:39:01 GMT

See inline...


Pid-2 wrote:
> 
> Martin Gainty wrote:
>> please display non-proprietary attributes of HTTPS (Port 8443 or 443)
>> Connector element values from %TOMCAT_HOME%/conf/server.xml
> 
> OP: Don't attempt to decipher or respond to the above, it's a red
> herring.  You could instead tell us exactly which 6.x you are using and
> on which OS.
> I am running in Red Hat 3.4.6-2
> 
> There's a couple of things that may be confusing the config below, which
> have some simple corrections.
> 
> I usually place "login.jsp" and "error.jsp" in "WEB-INF/login/", where
> they are protected from unwanted attention by default - this avoids the
> need to protect them with a security-contstraint.
> 
> You are also protecting "index.jsp" - which will force a login when the
> apps homepage is accessed, is this what you intended?
> 
> Yes
> 
> Are you logging out programmatically, using the servlet method
> request.getSession().invalidate(), or are you just clearing cookies?
> 
> I invalid the session programmatically... correct.
> 
> Your primary problem sounds like you have placed some CSS or script
> files somewhere in a protected directory and the browser is requesting
> them without providing the correct authentication credentials.
> 
> Tomcat returns the *first* file you requested inside the secured area
> after authentication is completed.  So for some reason your browser is
> requesting a script or CSS file before the JSP page.
> 
> Are the script and CSS files in an unprotected directory?
> 
> youa re absolutly correct, basically the senario is like this:
> basically the page is including <link rel="stylesheet" type="text/css"
> href="/app1/resources-folder/style.css" />
> So the browser should apply the style to the page, but instead it outputs
> the actual file to the broweser. So it should the style.css from the jsp
> file. 
> 
> This scenario happens when i try to add url-pattern in security constraint
> in web.xml (basically adding that module patterns as i described in first
> post.
> Otherwise, it works fine.
> 
> 
> 
> p
> 
> 
> 
> 
>> Disclaimer and confidentiality note 
>> Everything in this e-mail and any attachments relates to the official
>> business of Sender. This transmission is of a confidential nature and
>> Sender does not endorse distribution to any party other than intended
>> recipient. Sender does not necessarily endorse content contained within
>> this transmission. 
>> 
>> 
>> 
>> 
>>> Date: Tue, 13 Jan 2009 17:03:08 -0800
>>> From: samsina@gmail.com
>>> To: users@tomcat.apache.org
>>> Subject: Tomcat 6.x security-constraint redirection problem... please
>>> help!
>>>
>>>
>>> I have defined two roles (admin, user)
>>>
>>>     <security-role>
>>>         <role-name>user</role-name>
>>>     </security-role>
>>>      <security-role>
>>>         <role-name>administrator</role-name>
>>>     </security-role>
>>>
>>> each of these roles needs to access into separate modules in my webapp.
>>> For
>>> achieving this, I have the following security-constraint in tomcat
>>> web.xml:
>>>
>>>   <security-constraint>
>>>         <web-resource-collection>
>>>             <web-resource-name>Authorized Access
>>> Area</web-resource-name>
>>>             <url-pattern>/index.jsp</url-pattern>
>>>             <url-pattern>/login.jsp</url-pattern>
>>>             <url-pattern>/error.jsp</url-pattern>
>>>             <url-pattern>/app1/*</url-pattern>
>>>             <url-pattern>*.jsp</url-pattern>
>>>         </web-resource-collection>
>>>         <auth-constraint>
>>>             <role-name>user</role-name>
>>>         </auth-constraint>
>>>     </security-constraint>
>>>
>>>     <security-constraint>
>>>         <web-resource-collection>
>>>             <web-resource-name>Authorized Access
>>> Area</web-resource-name>
>>>             <url-pattern>/index.jsp</url-pattern>
>>>             <url-pattern>/login.jsp</url-pattern>
>>>             <url-pattern>/error.jsp</url-pattern>
>>>             <url-pattern>/app2/*</url-pattern>
>>>         </web-resource-collection>
>>>         <auth-constraint>
>>>             <role-name>administrator</role-name>
>>>         </auth-constraint>
>>>     </security-constraint>
>>>
>>> consider the following steps:
>>>
>>> 1. Access context/app1/app1action.jsp URL 
>>> 2. I get prompted for credentials
>>> 3. I login as normal user, and on successful login I get redirected to
>>> app1action.jsp page (desired behavior)
>>> 4. Now, I clear my cache & sessions authentication from browser
>>> (firefox)
>>> 4. Browse into some link in app1action.jsp page pointing to some other
>>> page
>>> eg. context/app1/anotherpage.jsp
>>> 5. Now I get prompted to relogin
>>> 6. On successful login, I expect myself to get redirected to
>>> 'anotherpage.jsp'. But instead it redirects me to the resources ( JS /
>>> img /
>>> css ) that are included with in 'anotherpage.jsp' . eg.
>>> context/resources/sample.js or sample.css or sample.gif ....
>>>
>>> I spent googling on this issue for couple of  days with no luck. 
>>>
>>> Can you please advise how to get properly redirected ?
>>>
>>> ~ Many Thanks
>>>
>>>
>>> -- 
>>> View this message in context:
>>> http://www.nabble.com/Tomcat-6.x-security-constraint-redirection-problem...-please-help%21-tp21448079p21448079.html
>>> Sent from the Tomcat - User mailing list archive at Nabble.com.
>>>
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>
>> 
>> _________________________________________________________________
>> Windows Liveā„¢: Keep your life in sync.
>> http://windowslive.com/explore?ocid=TXT_TAGLM_WL_t1_allup_explore_012009
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
> 
> 
> 

-- 
View this message in context: http://www.nabble.com/Tomcat-6.x-security-constraint-redirection-problem...-please-help%21-tp21448079p21465763.html
Sent from the Tomcat - User mailing list archive at Nabble.com.


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message