tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <>
Subject Re: j_security_check not working with flash
Date Wed, 23 Dec 2009 16:00:45 GMT
Hash: SHA1


On 12/21/2009 5:23 PM, vpapado wrote:
> Thank you for fast reply.
> I try everything. Open in different browser, etc.
> But the whole login procedure seems to result to error from Tomcat when I
> have my flash on the login.jsp page.
> When I remove this flash everything seems to work OK.
> Is there a possibility that j_security_check type of authentication
> conflicts with flash swf file? Who knows...
> I know about the problem with re-authentication and I solved it in a way
> that whenever a user goes to login.jsp page again (this means that there is
> already a user loged in the current secured file system), then I
> simultaneously log out the user with "session.invalidate();" and redirect
> him to the same page where the user pressed "log-in button". This will cause
> to automatic redirection to login.jsp page, since tomcat recognises that
> there is no user loged-in at that moment. This causes successful
> re-authentication.

This seems to indicate that you were trying a "drive-by login" meaning
that no request was previously made to a protected resource. The servlet
specification is (strangely) very specific about calls to
j_security_check for authentication: a request /must/ be made to a
protected resource for the login page to be served to the user, and then
authentication can proceed.

Tomcat implements this specified behavior by returning a 404 for
unexpected requests to j_security_check. Your hack works because it
forces a request to a protected resource.

- -chris
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla -


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message