tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From neo21 zerro <>
Subject Re: Programatic JAAS login in Tomcat 6.0.26!
Date Thu, 20 Jan 2011 17:25:22 GMT
 Hi Mikolaj and Mark, 

  Thanks for the replay. The problem is that I read the specifications and I 
still don't know how to push the login details 
and the request for the main page in one call. 
   The fact is that I need to open a browser from a swing app with the main page 
for my other application(that uses JAAS) programatic.  So the real problem is 
how do push the request from the swing app to open an browser with an 
authenticated user and the main page from my other app. Because as  I already 
said I cannot push to the application that uses JAAS my login credentials and 
the request to my main app. So I push the credentials as I already said but HTTP 
Status 400 - Invalid direct reference to form login page because I have no 
initial request with my main page, so that Tomcat can restore it.
   I cannot use JSP, my login page is a simple html page.

Thanks a lot for your time!


From: Mikolaj Rydzewski <>
To: Tomcat Users List <>
Sent: Thu, January 20, 2011 5:53:04 PM
Subject: Re: Programatic JAAS login in Tomcat 6.0.26!

On Thu, 20 Jan 2011 15:16:15 +0000, Mark Thomas <> wrote:

> Read up on FORM auth in the Servlet spec. There is a specific sequence
> of events that looks roughly like (for a successful auth):
> 1. Browser sends original request
> 2. Server saves request, creates session and responds with login page
> 3. Browser sends login details to server
> 4. Server validates login details
> 5. Server restores saved request and processes it
> 6. Server sends response to original request to browser.

Hi Mark,

That explains problem some people complain about:
When you invalidate session in second step, server is not able to restore 
previous request and leaves user with the same login form with URL 
/j_security_check. Real problem is, that now cryptic error appears: HTTP Status 
400 - Invalid direct reference to form login page.
It's enough for user to open login form page, wait until session invalidates due 
to inactivity time, then try to login.
One solution is to use HttpSession.isNew() check on login JSP page and perform 
redirect to e.g. to main page.

-- Mikolaj Rydzewski <>

To unsubscribe, e-mail:
For additional commands, e-mail:

  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message