Return-Path: 
 <users-return-192275-apmail-tomcat-users-archive=tomcat.apache.org@tomcat.apache.org>
Delivered-To: apmail-tomcat-users-archive@www.apache.org
Received: (qmail 15753 invoked from network); 25 Feb 2009 23:17:09 -0000
Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2)
  by minotaur.apache.org with SMTP; 25 Feb 2009 23:17:09 -0000
Received: (qmail 84145 invoked by uid 500); 25 Feb 2009 23:16:57 -0000
Delivered-To: apmail-tomcat-users-archive@tomcat.apache.org
Received: (qmail 84114 invoked by uid 500); 25 Feb 2009 23:16:57 -0000
Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:users-help@tomcat.apache.org>
List-Unsubscribe: <mailto:users-unsubscribe@tomcat.apache.org>
List-Post: <mailto:users@tomcat.apache.org>
List-Id: <users.tomcat.apache.org>
Reply-To: "Tomcat Users List" <users@tomcat.apache.org>
Delivered-To: mailing list users@tomcat.apache.org
Received: (qmail 84103 invoked by uid 99); 25 Feb 2009 23:16:57 -0000
Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230)
    by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 25 Feb 2009 15:16:57 -0800
X-ASF-Spam-Status: No, hits=0.7 required=10.0
	tests=SPF_SOFTFAIL
X-Spam-Check-By: apache.org
Received-SPF: softfail (nike.apache.org: transitioning domain of
 marcel@frightanic.com does not designate 212.101.4.135 as permitted sender)
Received: from [212.101.4.135] (HELO mail01.solnet.ch) (212.101.4.135)
    by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 25 Feb 2009 23:16:46 +0000
X-Virus-Scanned: by SolNet-Check at mail01.solnet.ch
Received: from mail01.solnet.ch ([127.0.0.1])
	by localhost (mail01.solnet.ch [127.0.0.1]) (SolNet-Check, port 10024)
	with LMTP id QWZZ1hZjiw7U for <users@tomcat.apache.org>;
	Wed, 25 Feb 2009 23:16:25 +0000 (UTC)
Received: from [192.168.1.5] (212-41-64-198.adsl.solnet.ch [212.41.64.198])
	(using TLSv1 with cipher AES128-SHA (128/128 bits))
	(No client certificate requested)
	by mail01.solnet.ch (Postfix) with ESMTPSA id 886214B0B1
	for <users@tomcat.apache.org>; Wed, 25 Feb 2009 23:16:25 +0000 (UTC)
Message-Id: <BDA447EF-42FA-4EF8-A54B-6A514D0D0649@frightanic.com>
From: =?ISO-8859-1?Q?Marcel_St=F6r?= <marcel@frightanic.com>
To: users@tomcat.apache.org
Content-Type: text/plain; charset=ISO-8859-1; format=flowed; delsp=yes
Content-Transfer-Encoding: quoted-printable
Mime-Version: 1.0 (Apple Message framework v930.3)
Subject: Request not forwarded to login page with security-constraint after
 session time-out
Date: Thu, 26 Feb 2009 00:16:25 +0100
X-Mailer: Apple Mail (2.930.3)
X-Virus-Checked: Checked by ClamAV on apache.org

Up to now I had always thought I understood the security aspects of =20
the Servlet spec quite well. Looks like I was wrong...

[Problem]
Upon session time-out the request is not forwarded to the login page =20
(form based auth). Nothing happens on the UI. However, forwarding to =20
the login page does work during the initially login into the =20
application.

[Setup]
Tomcat 5.0.28, but the behavior is the same in 5.5.
Application entry page at /app/app.jsp.
Entry Servlet at /app/AppServlet.
Login page at /public/login.jsp.
web.xml looks like this:
<security-constraint>
     <web-resource-collection>
       <web-resource-name>myapp</web-resource-name>
       <url-pattern>/app/app.jsp</url-pattern>
       <http-method>GET</http-method>
       <http-method>POST</http-method>
       <http-method>PUT</http-method>
       <http-method>DELETE</http-method>
     </web-resource-collection>
     <web-resource-collection>
       <web-resource-name>myapp</web-resource-name>
       <url-pattern>/app/AppServlet</url-pattern>
       <http-method>GET</http-method>
       <http-method>POST</http-method>
       <http-method>PUT</http-method>
       <http-method>DELETE</http-method>
     </web-resource-collection>
     <auth-constraint>
       <role-name>*</role-name>
     </auth-constraint>
   </security-constraint>
   <login-config>
     <auth-method>FORM</auth-method>
     <form-login-config>
       <form-login-page>/public/login.jsp</form-login-page>
       <form-error-page>/public/login.jsp?retry=3Dtrue</form-error-page>
     </form-login-config>
   </login-config>
   <security-role>
     <role-name>*</role-name>
   </security-role>

When I initially request /app/app.jsp Tomcat forwards to /public/=20
login.jsp as expected, I can login (using JDBCRealm) and will be =20
forwarded to /app/app.jsp.

[Analysis]
I started Tomcat in debug mode with debug log level and set a =20
breakpoint in FormAuthenticator.authenticate(HttpRequest, =20
HttpResponse, LoginConfig). I see that eventually =20
RequestDispatcher#forward() is invoked because it was detected that =20
the request needs to be authenticated. I followed the control flow to =20=

ApplicationDispatcher.doForward(ServletRequest, ServletResponse) but =20
nothing seems to be wrong - at least to me. The log contains the =20
following:
23:27:55,251 DEBUG AuthenticatorBase:413 - [] Security checking =20
request POST /app/AppServlet
23:27:55,252 DEBUG RealmBase:422 - []   Checking constraint =20
'SecurityConstraint[myapp, myapp]' against POST /app/AppServlet --> true
23:27:55,253 DEBUG AuthenticatorBase:484 - Calling =20
hasUserDataPermission()
23:27:55,253 DEBUG RealmBase:752 - User data constraint has no =20
restrictions
23:27:55,254 DEBUG AuthenticatorBase:502 - Calling authenticate()
23:28:25,246 DEBUG FormAuthenticator:208 - Save request in session =20
'2E77E8D1AF28AA5369AE8DCD334960C5'
// Why would the servletPath be empyt? Potential problem?
23:28:27,500 DEBUG ApplicationDispatcher:148 - servletPath=3D, =
pathInfo=3D/=20
public/login.jsp, queryString=3Dnull, name=3Dnull
23:29:11,136 DEBUG ApplicationDispatcher:381 - Path Based Forward
23:30:58,381 DEBUG ApplicationDispatcher:418 - Disabling the response =20=

for futher output
23:31:35,471 DEBUG AuthenticatorBase:506 - Failed authenticate() test

Kind regards,
Marcel

--=20
Marcel St=F6r, http://www.frightanic.com
Blog: http://frightanic.wordpress.com
Couchsurfing: http://www.couchsurfing.com/people/marcelstoer
Skype: marcelstoer


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org