tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: j_security_check not working with flash
Date Wed, 23 Dec 2009 16:00:45 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Papado,

On 12/21/2009 5:23 PM, vpapado wrote:
> Thank you for fast reply.
> I try everything. Open in different browser, etc.
> But the whole login procedure seems to result to error from Tomcat when I
> have my flash on the login.jsp page.
> When I remove this flash everything seems to work OK.
> Is there a possibility that j_security_check type of authentication
> conflicts with flash swf file? Who knows...
> 
> I know about the problem with re-authentication and I solved it in a way
> that whenever a user goes to login.jsp page again (this means that there is
> already a user loged in the current secured file system), then I
> simultaneously log out the user with "session.invalidate();" and redirect
> him to the same page where the user pressed "log-in button". This will cause
> to automatic redirection to login.jsp page, since tomcat recognises that
> there is no user loged-in at that moment. This causes successful
> re-authentication.

This seems to indicate that you were trying a "drive-by login" meaning
that no request was previously made to a protected resource. The servlet
specification is (strangely) very specific about calls to
j_security_check for authentication: a request /must/ be made to a
protected resource for the login page to be served to the user, and then
authentication can proceed.

Tomcat implements this specified behavior by returning a 404 for
unexpected requests to j_security_check. Your hack works because it
forces a request to a protected resource.

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAksyPq0ACgkQ9CaO5/Lv0PDP+wCeJA9rKgTntPTHS0YJpARWvbmI
tkYAoJlEvX2igdHQS0lfUy07DzgGDAOj
=cuOb
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message