tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dean Chester <dean.g.ches...@googlemail.com>
Subject Re: Keep having to login with container based authentaction.
Date Thu, 20 Aug 2009 12:14:02 GMT
Ok ive discovered that they are not staying the same between clicks. I'm now
going to look at encoding urls now.
Dean
On Thu, Aug 20, 2009 at 1:06 PM, Pid <pid@pidster.com> wrote:

> On 20/08/2009 13:00, Pid wrote:
>
>> On 20/08/2009 12:36, Dean Chester wrote:
>>
>>> Sorry about that.
>>> Yes i have a index page in the restricted area that has links to other
>>> restricted jsps. The Logs are not reporting anything.
>>>
>>
>>  How do you mean encode your urls?
>>>
>>
>> If you're being asked to log in every click, your session is probably
>> not being preserved. The session ID is set in a cookie or by encoding
>> the URL to include the session id:
>>
>> /path/to/page.jsp;jsessionid=00AF0000000000?query=param&go=here
>>
>>
>> Most browsers have a variety of dev tools you can use to examine
>> cookies, or response headers (e.g. Set-Cookie) to see if the cookie is
>> being set properly.
>>
>> If it's not, you'll need to encode the URL so that it contains the
>> session id. The servlet spec, (which of course you have read), has a
>> handy method on the HttpServletResponse object which can do this.
>>
>>
>> Encode each URL to ensure that the session id is preserved.
>>
>> <a href="<%= response.encodeURL(request.getContextPath() +
>> '/path/to/page.jsp') %>" alt="a link">Linked text</a>
>>
>> p
>>
>
> If you have a common footer, included in your JSPs you can add the session
> id to it, so you can see it on each page - it should not change between
> clicks if you've encoded URls properly.
>
>
>  <%= request.getSession().getId() %>
>
> Or if you're using JSP Expression Language
>
>  ${pageContext.session.id}
>
>
> p
>
>
>  P.S. There are tag libraries that exist to make this easier/less clumsy
>> looking.
>>
>>
>> I haven't set a time out in the web.xml file so its using the
>>
>>> default. The time between clicks is usually about 1-2 seconds. Here is
>>> some
>>> of my web.xml file:
>>> <security-constraint>
>>> <web-resource-collection>
>>> <web-resource-name>users</web-resource-name>
>>> <url-pattern>/add/*</url-pattern>
>>> </web-resource-collection>
>>> <auth-constraint>
>>> <role-name>user</role-name>
>>> <role-name>admin</role-name>
>>> </auth-constraint>
>>> </security-constraint>
>>>
>>> <security-constraint>
>>> <web-resource-collection>
>>> <web-resource-name>admin</web-resource-name>
>>> <url-pattern>/admin/*</url-pattern>
>>> </web-resource-collection>
>>> <auth-constraint>
>>> <role-name>admin</role-name>
>>> </auth-constraint>
>>> </security-constraint>
>>>
>>> <login-config>
>>> <auth-method>FORM</auth-method>
>>> <form-login-config>
>>> <form-login-page>/login.jsp</form-login-page>
>>> <form-error-page>/login-error.jsp</form-error-page>
>>> </form-login-config>
>>> </login-config>
>>>
>>> <security-role>
>>> <role-name>admin</role-name>
>>> </security-role>
>>> <security-role>
>>> <role-name>user</role-name>
>>> </security-role>
>>> I am using the default realm which i know works.
>>> Dean
>>>
>>> On Thu, Aug 20, 2009 at 12:19 PM, Pid<pid@pidster.com> wrote:
>>>
>>>  On 20/08/2009 11:55, Dean Chester wrote:
>>>>
>>>>  Sorry Tomcat 6.20, Red Hat Enterprise edition 4 i think. java 1.6.
>>>>> And i
>>>>> mean once logged in i have to login again after clicking on a link in
>>>>> the restricted area.
>>>>> Dean
>>>>>
>>>>>
>>>> You don't need to reply-to-all, just to the list. I'm obviously on the
>>>> mailing list, so I'll get the message anyway - I don't need it twice.
>>>>
>>>> /myapp/index.jsp
>>>> /myapp/secure/index.jsp
>>>> /myapp/secure/page2.jsp
>>>>
>>>> So you're logging into the secure area, and trying to view, e.g.
>>>> page2.jsp
>>>> from a link on the e.g. index.jsp page?
>>>>
>>>> Do the logs have any errors in them?
>>>> If so, what are they?
>>>>
>>>> Are you encoding all of the URLs properly?
>>>>
>>>> How long between clicks?
>>>>
>>>> What is the session timeout in your web.xml?
>>>>
>>>> How have you defined the<security-constraint> in web.xml?
>>>>
>>>> Which Realm are you using?
>>>>
>>>> Perhaps you could post a little bit more information?
>>>>
>>>> p
>>>>
>>>>
>>>>
>>>> On Thu, Aug 20, 2009 at 11:23 AM, Pid<pid@pidster.com
>>>>
>>>>> <mailto:pid@pidster.com>> wrote:
>>>>>
>>>>> On 20/08/2009 10:40, Dean Chester wrote:
>>>>>
>>>>> Hi,
>>>>> I've written my application using j_security_check yet i keep
>>>>> having to log
>>>>> in in the restricted area. Has anyone else experienced this?
>>>>>
>>>>>
>>>>> Yep. I have to log in each time I want to use our app - it's a side
>>>>> effect of implementing security.
>>>>>
>>>>> Or is your question referring to a less vague and more specific issue?
>>>>>
>>>>>
>>>>>
>>>>> Because it works with a small amount of JSPs and then when i
>>>>> implement it all in to my
>>>>> application it doesn't work.
>>>>>
>>>>>
>>>>> I might need to warm up my Internet Telepathy(tm) without some more
>>>>> information...
>>>>>
>>>>>
>>>>>
>>>>> Where am i most likely going wrong?
>>>>>
>>>>>
>>>>> Not telling us your Tomcat version, JVM version, OS version...
>>>>>
>>>>> p
>>>>>
>>>>>
>>>>> Thanks in advance
>>>>> Dean
>>>>>
>>>>>
>>>>>
>>>>> ---------------------------------------------------------------------
>>>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>>>> <mailto:users-unsubscribe@tomcat.apache.org>
>>>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>>> <mailto:users-help@tomcat.apache.org>
>>>>>
>>>>>
>>>>>
>>>>>
>>>> ---------------------------------------------------------------------
>>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>>
>>>>
>>>>
>>>
>>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message