tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Pid...@pidster.com>
Subject Re: Tomcat 6.x security-constraint redirection problem... please help!
Date Thu, 15 Jan 2009 09:22:40 GMT
samsina wrote:
> See inline...
> 
> 
> Pid-2 wrote:
>> Martin Gainty wrote:
>>> please display non-proprietary attributes of HTTPS (Port 8443 or 443)
>>> Connector element values from %TOMCAT_HOME%/conf/server.xml
>> OP: Don't attempt to decipher or respond to the above, it's a red
>> herring.  You could instead tell us exactly which 6.x you are using and
>> on which OS.
>> I am running in Red Hat 3.4.6-2
>>
>> There's a couple of things that may be confusing the config below, which
>> have some simple corrections.
>>
>> I usually place "login.jsp" and "error.jsp" in "WEB-INF/login/", where
>> they are protected from unwanted attention by default - this avoids the
>> need to protect them with a security-contstraint.
>>
>> You are also protecting "index.jsp" - which will force a login when the
>> apps homepage is accessed, is this what you intended?
>>
>> Yes
>>
>> Are you logging out programmatically, using the servlet method
>> request.getSession().invalidate(), or are you just clearing cookies?
>>
>> I invalid the session programmatically... correct.
>>
>> Your primary problem sounds like you have placed some CSS or script
>> files somewhere in a protected directory and the browser is requesting
>> them without providing the correct authentication credentials.
>>
>> Tomcat returns the *first* file you requested inside the secured area
>> after authentication is completed.  So for some reason your browser is
>> requesting a script or CSS file before the JSP page.
>>
>> Are the script and CSS files in an unprotected directory?
>>
>> youa re absolutly correct, basically the senario is like this:
>> basically the page is including <link rel="stylesheet" type="text/css"
>> href="/app1/resources-folder/style.css" />
>> So the browser should apply the style to the page, but instead it outputs
>> the actual file to the broweser. So it should the style.css from the jsp
>> file. 
>>
>> This scenario happens when i try to add url-pattern in security constraint
>> in web.xml (basically adding that module patterns as i described in first
>> post.
>> Otherwise, it works fine.

The most simple solution here is to move the CSS files to an unprotected
directory.

p


>> p
>>
>>
>>
>>
>>> Disclaimer and confidentiality note 
>>> Everything in this e-mail and any attachments relates to the official
>>> business of Sender. This transmission is of a confidential nature and
>>> Sender does not endorse distribution to any party other than intended
>>> recipient. Sender does not necessarily endorse content contained within
>>> this transmission. 
>>>
>>>
>>>
>>>
>>>> Date: Tue, 13 Jan 2009 17:03:08 -0800
>>>> From: samsina@gmail.com
>>>> To: users@tomcat.apache.org
>>>> Subject: Tomcat 6.x security-constraint redirection problem... please
>>>> help!
>>>>
>>>>
>>>> I have defined two roles (admin, user)
>>>>
>>>>     <security-role>
>>>>         <role-name>user</role-name>
>>>>     </security-role>
>>>>      <security-role>
>>>>         <role-name>administrator</role-name>
>>>>     </security-role>
>>>>
>>>> each of these roles needs to access into separate modules in my webapp.
>>>> For
>>>> achieving this, I have the following security-constraint in tomcat
>>>> web.xml:
>>>>
>>>>   <security-constraint>
>>>>         <web-resource-collection>
>>>>             <web-resource-name>Authorized Access
>>>> Area</web-resource-name>
>>>>             <url-pattern>/index.jsp</url-pattern>
>>>>             <url-pattern>/login.jsp</url-pattern>
>>>>             <url-pattern>/error.jsp</url-pattern>
>>>>             <url-pattern>/app1/*</url-pattern>
>>>>             <url-pattern>*.jsp</url-pattern>
>>>>         </web-resource-collection>
>>>>         <auth-constraint>
>>>>             <role-name>user</role-name>
>>>>         </auth-constraint>
>>>>     </security-constraint>
>>>>
>>>>     <security-constraint>
>>>>         <web-resource-collection>
>>>>             <web-resource-name>Authorized Access
>>>> Area</web-resource-name>
>>>>             <url-pattern>/index.jsp</url-pattern>
>>>>             <url-pattern>/login.jsp</url-pattern>
>>>>             <url-pattern>/error.jsp</url-pattern>
>>>>             <url-pattern>/app2/*</url-pattern>
>>>>         </web-resource-collection>
>>>>         <auth-constraint>
>>>>             <role-name>administrator</role-name>
>>>>         </auth-constraint>
>>>>     </security-constraint>
>>>>
>>>> consider the following steps:
>>>>
>>>> 1. Access context/app1/app1action.jsp URL 
>>>> 2. I get prompted for credentials
>>>> 3. I login as normal user, and on successful login I get redirected to
>>>> app1action.jsp page (desired behavior)
>>>> 4. Now, I clear my cache & sessions authentication from browser
>>>> (firefox)
>>>> 4. Browse into some link in app1action.jsp page pointing to some other
>>>> page
>>>> eg. context/app1/anotherpage.jsp
>>>> 5. Now I get prompted to relogin
>>>> 6. On successful login, I expect myself to get redirected to
>>>> 'anotherpage.jsp'. But instead it redirects me to the resources ( JS /
>>>> img /
>>>> css ) that are included with in 'anotherpage.jsp' . eg.
>>>> context/resources/sample.js or sample.css or sample.gif ....
>>>>
>>>> I spent googling on this issue for couple of  days with no luck. 
>>>>
>>>> Can you please advise how to get properly redirected ?
>>>>
>>>> ~ Many Thanks
>>>>
>>>>
>>>> -- 
>>>> View this message in context:
>>>> http://www.nabble.com/Tomcat-6.x-security-constraint-redirection-problem...-please-help%21-tp21448079p21448079.html
>>>> Sent from the Tomcat - User mailing list archive at Nabble.com.
>>>>
>>>>
>>>> ---------------------------------------------------------------------
>>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>>
>>> _________________________________________________________________
>>> Windows Liveā„¢: Keep your life in sync.
>>> http://windowslive.com/explore?ocid=TXT_TAGLM_WL_t1_allup_explore_012009
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>
>>
> 


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message