tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Marcel Stör <mar...@frightanic.com>
Subject Request not forwarded to login page with security-constraint after session time-out
Date Wed, 25 Feb 2009 23:16:25 GMT
Up to now I had always thought I understood the security aspects of  
the Servlet spec quite well. Looks like I was wrong...

[Problem]
Upon session time-out the request is not forwarded to the login page  
(form based auth). Nothing happens on the UI. However, forwarding to  
the login page does work during the initially login into the  
application.

[Setup]
Tomcat 5.0.28, but the behavior is the same in 5.5.
Application entry page at /app/app.jsp.
Entry Servlet at /app/AppServlet.
Login page at /public/login.jsp.
web.xml looks like this:
<security-constraint>
     <web-resource-collection>
       <web-resource-name>myapp</web-resource-name>
       <url-pattern>/app/app.jsp</url-pattern>
       <http-method>GET</http-method>
       <http-method>POST</http-method>
       <http-method>PUT</http-method>
       <http-method>DELETE</http-method>
     </web-resource-collection>
     <web-resource-collection>
       <web-resource-name>myapp</web-resource-name>
       <url-pattern>/app/AppServlet</url-pattern>
       <http-method>GET</http-method>
       <http-method>POST</http-method>
       <http-method>PUT</http-method>
       <http-method>DELETE</http-method>
     </web-resource-collection>
     <auth-constraint>
       <role-name>*</role-name>
     </auth-constraint>
   </security-constraint>
   <login-config>
     <auth-method>FORM</auth-method>
     <form-login-config>
       <form-login-page>/public/login.jsp</form-login-page>
       <form-error-page>/public/login.jsp?retry=true</form-error-page>
     </form-login-config>
   </login-config>
   <security-role>
     <role-name>*</role-name>
   </security-role>

When I initially request /app/app.jsp Tomcat forwards to /public/ 
login.jsp as expected, I can login (using JDBCRealm) and will be  
forwarded to /app/app.jsp.

[Analysis]
I started Tomcat in debug mode with debug log level and set a  
breakpoint in FormAuthenticator.authenticate(HttpRequest,  
HttpResponse, LoginConfig). I see that eventually  
RequestDispatcher#forward() is invoked because it was detected that  
the request needs to be authenticated. I followed the control flow to  
ApplicationDispatcher.doForward(ServletRequest, ServletResponse) but  
nothing seems to be wrong - at least to me. The log contains the  
following:
23:27:55,251 DEBUG AuthenticatorBase:413 - [] Security checking  
request POST /app/AppServlet
23:27:55,252 DEBUG RealmBase:422 - []   Checking constraint  
'SecurityConstraint[myapp, myapp]' against POST /app/AppServlet --> true
23:27:55,253 DEBUG AuthenticatorBase:484 - Calling  
hasUserDataPermission()
23:27:55,253 DEBUG RealmBase:752 - User data constraint has no  
restrictions
23:27:55,254 DEBUG AuthenticatorBase:502 - Calling authenticate()
23:28:25,246 DEBUG FormAuthenticator:208 - Save request in session  
'2E77E8D1AF28AA5369AE8DCD334960C5'
// Why would the servletPath be empyt? Potential problem?
23:28:27,500 DEBUG ApplicationDispatcher:148 - servletPath=, pathInfo=/ 
public/login.jsp, queryString=null, name=null
23:29:11,136 DEBUG ApplicationDispatcher:381 - Path Based Forward
23:30:58,381 DEBUG ApplicationDispatcher:418 - Disabling the response  
for futher output
23:31:35,471 DEBUG AuthenticatorBase:506 - Failed authenticate() test

Kind regards,
Marcel

-- 
Marcel Stör, http://www.frightanic.com
Blog: http://frightanic.wordpress.com
Couchsurfing: http://www.couchsurfing.com/people/marcelstoer
Skype: marcelstoer


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message