tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
Subject Re: Tomcat 6.x security-constraint redirection problem... please help!
Date Fri, 16 Jan 2009 11:40:09 GMT
Christopher Schultz wrote:
> Pid,
> Pid wrote:
>> There's a couple of things that may be confusing the config below, which
>> have some simple corrections.
>> I usually place "login.jsp" and "error.jsp" in "WEB-INF/login/", where
>> they are protected from unwanted attention by default - this avoids the
>> need to protect them with a security-contstraint.
> Agreed. I've found that when using Tomcat to serve static content, these
> things tend to happen. The reason is that Tomcat saves the first
> unauthorized request and then repeats it after successful
> authentication. If the last request was for something like a CSS file
> (say, because the CSS file was protected, but the main page wasn't),
> then you'll end up being served the CSS file after login. It can be very
> disorienting.
>> Tomcat returns the *first* file you requested inside the secured area
>> after authentication is completed.  So for some reason your browser is
>> requesting a script or CSS file before the JSP page.
> For some reason, I thought it was the most recent request it saved.
> First makes more sense; thanks for mentioning it.

I have an app with a page which contains a flash object (displays a nice
graph) that calls a groovy script periodically to get data.

If the user session times out in between requests for the script then
when it's requested it's the first one after de-auth, so it becomes the
target that is re-established after re-login, (obviously not useful for

I've been attempting to stop the periodic request by monitoring the
session period, but haven't had time to properly address it yet. :(


> -chris

To unsubscribe, e-mail:
For additional commands, e-mail:

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message