tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: Tomcat 6.x security-constraint redirection problem... please help!
Date Thu, 15 Jan 2009 17:10:58 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Pid,

Pid wrote:
> There's a couple of things that may be confusing the config below, which
> have some simple corrections.
> 
> I usually place "login.jsp" and "error.jsp" in "WEB-INF/login/", where
> they are protected from unwanted attention by default - this avoids the
> need to protect them with a security-contstraint.

Agreed. I've found that when using Tomcat to serve static content, these
things tend to happen. The reason is that Tomcat saves the first
unauthorized request and then repeats it after successful
authentication. If the last request was for something like a CSS file
(say, because the CSS file was protected, but the main page wasn't),
then you'll end up being served the CSS file after login. It can be very
disorienting.

> Tomcat returns the *first* file you requested inside the secured area
> after authentication is completed.  So for some reason your browser is
> requesting a script or CSS file before the JSP page.

For some reason, I thought it was the most recent request it saved.
First makes more sense; thanks for mentioning it.

- -chris

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAklvbiIACgkQ9CaO5/Lv0PBdKQCgqKaDVR9sarPRcpT2aPPFzGDB
uVUAn0mqIjX9MPIGGMtIFQPQ8grFyA5z
=DsGP
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message