tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Marcel Stör <mar...@frightanic.com>
Subject Re: Request not forwarded to login page with security-constraint after session time-out
Date Thu, 26 Feb 2009 23:14:48 GMT

On 26.02.2009, at 23:44, Mark Thomas wrote:

> Caldarale, Charles R wrote:
>>> From: Mark Thomas [mailto:markt@apache.org]
>>> Subject: Re: Request not forwarded to login page with
>>> security-constraint after session time-out
>>>
>>> The spec is clearer than that. The "*" role == all roles
>>> defined in web.xml.
>>
>> Yes, but what it's not clear about is what happens when there are  
>> *no* roles defined in web.xml, which is the situation the OP has.
>
> I thought it was pretty clear. If "*" is all roles defined and you  
> have
> no roles defined then you are basically preventing anyone from  
> accessing
> that resource (subject to the weird and wonderful rules on combining
> security constraints).

Not sure I can follow you guys on this...A few questions, my  
assumption is that the role-issue has nothing to do with the real  
problem:

1. Is the "*"-role issues even relevant in my context? After all, the  
security constraint works fine if I initially log in...

2. My requirement is indeed: "allow any authenticated user, ignore  
roles all together". So I set
  <auth-constraint>
      <role-name>*</role-name>
    </auth-constraint>
  </security-constraint>
  ...
  <security-role>
    <role-name>*</role-name>
  </security-role>

in web.xml and allRolesMode="AUTH_ONLY_MODE" in the JDBC realm config.  
Correct? Uummhh, obviously not, because there's still this error in  
the log, but it has no impact:

Feb 27, 2009 12:06:43 AM org.apache.catalina.realm.JDBCRealm getRoles
SEVERE: Exception performing authentication
java.sql.SQLException: ORA-00903: invalid table name

	at  
oracle.jdbc.driver.DatabaseError.throwSqlException(DatabaseError.java: 
112)
	at oracle.jdbc.driver.T4CTTIoer.processError(T4CTTIoer.java:331)
	at oracle.jdbc.driver.T4CTTIoer.processError(T4CTTIoer.java:288)

3. Why does it seem to be relevant that the request where auto- 
forwarding-to-login-after-session-timeout fails is an AJAX request?

Regards,
Marcel

-- 
Marcel Stör, http://www.frightanic.com
Blog: http://frightanic.wordpress.com
Couchsurfing: http://www.couchsurfing.com/people/marcelstoer
Skype: marcelstoer


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message