tomcat-users mailing list archives

Site index · List index

Message view	« Date » · « Thread »
Top	« Date » · « Thread »
From	Dick Eastlake <dickeastl...@yahoo.com>
Subject	Re: IE & Firefox work fine, Mac, Google and Safari don't authenticate
Date	Wed, 06 Apr 2011 11:29:23 GMT
Andre, I'll get HttpFox and Fidler2.=A0 Is there one for Chrome or Safari?= =A0 I'll come back when I get some info from them.=0A=0AThanks.=0ADick=0A= =0A=0A=0A________________________________=0AFrom: Andr=E9 Warnier <aw@ice-s= a.com>=0ATo: Tomcat Users List <users@tomcat.apache.org>=0ASent: Wednesday,= April 6, 2011 3:20 AM=0ASubject: Re: IE & Firefox work fine, Mac, Google a= nd Safari don't authenticate=0A=0AHi.=0A=0ANot knowing the exact layout of = your pages, and not knowing exactly what you have in mind about what /shoul= d/ happen, makes this a bit of a guesswork.=0AIn the log, there are a numbe= r of URLs being accessed ( /catalog/dealerwelcome.jsp, /catalog/authControl= .jsp, /catalog/dealer/dealerwelcome.jsp, etc..) but it is not clear to peop= le reading your messages to the list, what these correspond to in terms of = logic of the application.=0A=0AIt would help if you described what the sequ= ence is or should be, from the point of view of the user accessing your sit= e, and/or from the point of the view of the pages they should access in wha= t order.=0A=0AFor example, your <security-constraint> sections below :=0A- = one of them relates to an area of your web space under "<url-pattern>/joepa= rts/admin/</url-pattern>", which seems to have nothing to do with the logf= ile, and confuses things.=0A- the other refers to "<url-pattern>/catalog/de= aler/</url-pattern>", but according to the log, there is a "dealerwelcome.= jsp" page in both the top "/catalog" directory and in the "/catalog/dealer"= directory, and between the accesses to these two, there is an intermediate= POST to something called "/catalog/authControl.jsp".=A0 What is that ?=A0 = What is it supposed to do ?=0A=0AI get the feeling that there is something = fundamentally flawed in the way you are trying to do this authentication, a= nd that the fact that it works in some cases may just be due to the differe= nt way that browsers react to edge cases.=0A=0AAlso, with the logs we only = see one side of things : the requests received by the server, and the statu= s code of the answer.=A0 Contrary to you, we do not see what the browser is= actually sending or receiving. Try to help us a bit here.=0A=0AThere exist= useful plugins for browsers, which allow to see the detail of the browser/= server conversation.=A0 For Firefox, try HttpFox for example, and for IE tr= y Fiddler2. You will easily locate them with Google.=A0 They are invaluable= when trying to debug such issues.=0A=0A=0ADick Eastlake wrote:=0A> Here's = an access log from a successful login using Firefox.=A0 Note the post toj_s= ecurity_check returns a 302 and the id of the authenticated user shows in t= he returned request for a page located in the secured portion of the site.= =0A> 213.20.160.134 - - [05/Apr/2011:22:44:31 -0700] "GET /catalog/dealerwe= lcome.jsp HTTP/1.1" 200 1870=0A> 213.20.160.134 - - [05/Apr/2011:22:44:40 -= 0700] "POST /catalog/authControl.jsp HTTP/1.1" 302 -=0A> 213.20.160.134 - -= [05/Apr/2011:22:44:40 -0700] "GET /catalog/dealer/dealerwelcome.jsp HTTP/1= .1" 200 1910=0A> 213.20.160.134 - - [05/Apr/2011:22:44:44 -0700] "POST /cat= alog/dealer/j_security_check HTTP/1.1" 302 -=0A> 213.20.160.134 - dickeastl= ake@progressivecommerce.com [05/Apr/2011:22:44:44 -0700] "GET /catalog/deal= er/dealerwelcome.jsp HTTP/1.1" 200 2391=0A> =0A> Here's a failed attempt (p= hony id/password) using IENote the post to j_security_check returns a 200 a= nd there is no returned request.=0A> 74.77.201.185 - - [05/Apr/2011:22:52:4= 6 -0700] "GET /catalog/dealerwelcome.jsp HTTP/1.1" 200 1870=0A> 74.77.201.1= 85 - - [05/Apr/2011:22:53:05 -0700] "POST /catalog/authControl.jsp HTTP/1.1= " 302 -=0A> 74.77.201.185 - - [05/Apr/2011:22:53:05 -0700] "GET /catalog/de= aler/dealerwelcome.jsp HTTP/1.1" 200 1897=0A> 74.77.201.185 - - [05/Apr/201= 1:22:53:12 -0700] "POST /catalog/dealer/j_security_check HTTP/1.1" 200 676= =0A> =0A> The above examples show correct results using IE and Firefox.=0A>= Here's an access log from an unsuccessful login using Chrome.=A0 Note the = post to j_security_check returns a 200 even though the id/password entered = was a valid one. 74.77.201.185 - - [05/Apr/2011:23:35:58 -0700] "GET /catal= og/dealerwelcome.jsp HTTP/1.1" 200 1870=0A> 74.77.201.185 - - [05/Apr/2011:= 23:36:06 -0700] "POST /catalog/authControl.jsp HTTP/1.1" 302 -=0A> 74.77.20= 1.185 - - [05/Apr/2011:23:36:06 -0700] "GET /catalog/dealer/dealerwelcome.j= sp HTTP/1.1" 200 1893=0A> 74.77.201.185 - - [05/Apr/2011:23:36:09 -0700] "P= OST /catalog/dealer/j_security_check HTTP/1.1" 200 676=0A> =0A>=A0 Again, I= E & Firefox work fine, Mac, Google and Safari don't.=0A>=A0 Thanks for you= r help,=0A>=A0 Dick=0A> =0A> ________________________________=0A> From: And= r=E9 Warnier <aw@ice-sa.com>=0A> To: Tomcat Users List <users@tomcat.apache= .org>=0A> Sent: Tuesday, April 5, 2011 6:43 PM=0A> Subject: Re: IE & Firefo= x work fine, Mac, Google and Safari don't authenticate=0A> =0A> Hi.=0A> =0A= > Since I doubt that many people here really feel like going through a bunc= h of lines of badly-formatted configuration, code and logs to figure out ex= actly what is wrong, I suggest that you search Google for=0A> "tomcat form = based authentication example" and use one of the numerous ones there as a r= eference.=0A> =0A> There is something bizarre in your explanation and data = however :=0A> =0A> You say that the first part of the log is with Firefox, = which works fine.=0A> However, that part contains this line :=0A> =0A>> 69.= 207.4.57 - sor@sor.com [27/Mar/2011:15:34:30 -0700] "GET /Dynacorn/catalog/= dealer/dealerwelcome.jsp HTTP/1.1" 500 2158=0A> =0A> which shows a status c= ode 500 (=3D "server error") returned by the server, while the part suppose= dly not working shows no such error.=0A> =0A> Another bizarre part is this = : the JSP document that you show, appears to be the login page, and it cont= ains a <form> line like this :=0A> =0A>>=A0 =A0 =A0 =A0 =A0 <form method=3D= "POST" action=3D"<%=3D response.encodeURL("j_security_check") %>">=0A> =0A>= Yet, looking at the log, it does not seem that there is ever a POST to tha= t URL.=0A> =0A> It would look like there is some confusion about the basic = way in which form authentication is supposed to work.=A0 That's also why yo= ur best bet may be to re-read the on-line documentation, and try first with= one of the examples you will find in Google.=0A> =0A> =0A> Dick Eastlake w= rote:=0A>> Users can authenticate to the secured area of my Website using I= E and Firefox; no problem.=A0 However,Macs, Google and Safari browsers cann= ot log in.=0A>> =0A>> Macs, Google and Safari browsers go straight to the f= orm-error-page "not_auth.html".=0A>> =0A>> Please help!=0A>> =0A>> =0A>> I'= m using a simple form-based authentication method.=0A>> =0A>> =0A>> Here's = my WEB.XML (from inside the webapp, not the conf):=0A>> =0A>> <web-app xmln= s=3D"http://java.sun.com/xml/ns/j2ee"=0A>>=A0 =A0 =A0 xmlns:xsi=3D"http://w= ww.w3.org/2001/XMLSchema-instance"=0A>>=A0 =A0 =A0 xsi:schemaLocation=3D"ht= tp://java.sun.com/xml/ns/j2ee=0A>> http://java.sun.com/xml/ns/j2ee/web-app_= 2_4.xsd"=0A>>=A0 =A0 =A0 version=3D"2.4">=0A>> <display-name>Progressive Co= mmerce Inc</display-name>=0A>> =0A>> <description>=0A>>=A0 =A0 =A0 Progress= ive Website=0A>> </description>=0A>> =0A>> <security-constraint>=0A>>=A0 = =A0 =A0 <display-name>Progressive Security=0A>>=A0 Constraint</display-nam= e>=0A>>=A0 =A0 =A0 <web-resource-collection>=0A>>=A0 =A0 =A0 =A0 =A0 <web-r= esource-name>Dealer Area</web-resource-name>=0A>>=A0 =A0 =A0 =A0 =A0 <url-p= attern>/catalog/dealer/</url-pattern>=0A>>=A0 =A0 =A0 </web-resource-colle= ction>=0A>>=A0 =A0 =A0 <auth-constraint>=0A>>=A0 =A0 =A0 =A0 =A0 <role-name= >dealer</role-name>=0A>>=A0 =A0 =A0 </auth-constraint>=0A>> </security-cons= traint>=0A>> <security-role>=0A>>=A0 =A0 =A0 <role-name>dealer</role-name>= =0A>> </security-role>=0A>> =0A>> <security-constraint>=0A>>=A0 =A0 =A0 <di= splay-name>Joe Parts Security Constraint</display-name>=0A>>=A0 =A0 =A0 <we= b-resource-collection>=0A>>=A0 =A0 =A0 =A0 =A0 <web-resource-name>Joe Parts= =0A>>=A0 Area</web-resource-name>=0A>>=A0 =A0 =A0 =A0 =A0 <url-pattern>/jo= eparts/admin/</url-pattern>=0A>>=A0 =A0 =A0 </web-resource-collection>=0A>= >=A0 =A0 =A0 <auth-constraint>=0A>>=A0 =A0 =A0 =A0 =A0 <role-name>joe</role= -name>=0A>>=A0 =A0 =A0 </auth-constraint>=0A>> </security-constraint>=0A>> = =0A>> <security-role>=0A>>=A0 =A0 =A0 <role-name>joe</role-name>=0A>> </sec= urity-role>=0A>>=A0 <login-config>=0A>>=A0 =A0 =A0 <auth-method>FORM</auth= -method>=0A>>=A0 =A0 =A0 <realm-name>Progressive Form-Based Authentication = Area</realm-name>=0A>>=A0 =A0 =A0 <form-login-config>=0A>>=A0 =A0 =A0 =A0 = =A0 <form-login-page>/catalog/dealer_door.jsp</form-login-page>=0A>>=A0 =A0= =A0 =A0 =A0 <form-error-page>/not_auth.html</form-error-page>=0A>>=A0 =A0 = =A0 </form-login-config>=0A>> </login-config>=0A>> =0A>> =0A>> <resource-re= f>=0A>>=A0 =A0 =A0 =A0 <description>=0A>>=A0 =A0 =A0 =A0 =A0 jdbc/progressi= ve=0A>>=A0 =A0 =A0 =A0 </description>=0A>>=A0 =A0 =A0 =A0 <res-ref-name>=0A= >>=A0 =A0 =A0 =A0 =A0 jdbc/progressive=0A>>=A0 =A0 =A0 =A0 </res-ref-name>= =0A>>=A0 =A0 =A0 =A0 <res-type>=0A>>=A0 =A0 =A0 =A0 =A0 javax.sql.DataSourc= e=0A>>=A0 =A0 =A0 =A0 </res-type>=0A>>=A0 =A0 =A0 =A0 <res-auth>=0A>>=A0 = =A0 =A0 =A0 =A0 Container=0A>>=A0 =A0 =A0 =A0 </res-auth>=0A>>=A0 =A0 =A0 = =A0 <res-sharing-scope>=0A>>=A0 =A0 =A0 =A0 =A0 Shareable=0A>>=A0 =A0 =A0 = =A0 </res-sharing-scope>=0A>> </resource-ref>=0A>> =0A>> <welcome-file-list= >=0A>>=A0 =A0 =A0 <welcome-file>index.html</welcome-file>=0A>> </welcome-fi= le-list>=0A>>=A0 =A0 =A0 </web-app>=0A>> =0A>> Here's the code from my jsp= =0A>> =0A>>=A0 =A0 =A0 <jsp:useBean id=3D"dlb" scope=3D"session" class=3D"= com.dealer.beans.DealerBean"/>=0A>> =0A>>=A0 =A0 =A0 <body bgcolor=3D"#2223= 24" text=3D"#000000">=0A>>=A0 =A0 =A0 =A0 =A0 <form method=3D"POST" action= =3D"<%=3D response.encodeURL("j_security_check") %>">=0A>>=A0 =A0 =A0 =A0 = =A0 =A0 =A0 <p> </p>=0A>>=A0 =A0 =A0 =A0 =A0 =A0 =A0 <div align=3D"cen= ter"> </div>=0A>>=A0 =A0 =A0 =A0 =A0 =A0 =A0 <table width=3D"431" border=3D= "0" cellspacing=3D"0" cellpadding=3D"0">=0A>>=A0 =A0 =A0 =A0 =A0 =A0 =A0 = =A0 <tr bgcolor=3D"#FFFFFF"=0A>>=A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 <td= >=0A>> =0A>>=A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 </td>=0A>>=A0 =A0 =A0 =A0 = =A0 =A0 =A0 =A0 =A0 <td>=0A>>=A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 <t= able>=0A>>=A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 <tr>=0A>>=A0 =A0 =A0 = =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 <td width=3D"160"><font color=3D"00= 9999"><b><font face=3D"Arial, Helvetica, sans-serif">Email=A0 =A0 Address:<= /font></b></font></td>=0A>>=A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 = =A0 <td width=3D"147">=0A>>=A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 = =A0 =A0 =A0 =A0 <input tabindex=3D"1" type=3D"text" name=3D"j_username" val= ue=3D"=0A>> <%=0A>>=A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 out.print(dlb.ge= tEmail() + "\"");=0A>> %>=0A>>=A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 >=A0 = =A0 =A0 </td>=0A>>=A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 <td w= idth=3D"49"> </td>=0A>>=A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0= </tr>=0A>>=A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 <tr bgcolor=3D"#= FFFFFF">=A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0= =A0 =A0 =A0 <td width=3D"160" height=3D"20"><font color=3D"009999"><b><fon= t face=3D"Arial,=0A>>=A0 Helvetica, sans-serif">Password:</font></b></font= ></td>=0A>>=A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 <td width=3D= "147" height=3D"20">=0A>>=A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 = =A0 =A0 <input tabindex=3D"2" type=3D"password" name=3D"j_password">=0A>>= =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 </td>=0A>>=A0 =A0 =A0 = =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 </tr>=0A>>=A0 =A0 =A0 =A0 =A0 =A0 =A0 = =A0 =A0 =A0 =A0 =A0 <tr bgcolor=3D"#FFFFFF">=0A>>=A0 =A0 =A0 =A0 =A0 =A0 = =A0 =A0 =A0 =A0 =A0 =A0 =A0 <td width=3D"37"> </td>=0A>>=A0 =A0 =A0 = =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 <td width=3D"38"> </td>=0A>>= =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 <td width=3D"160"></td>= =0A>>=A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 <td width=3D"147">= =0A>>=A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 <div a= lign=3D"center">=0A>>=A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 = =A0 =A0 =A0 =A0 <input tabindex=3D"3" type=3D"submit" value=3D"Log In">=0A>= >=A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 </div>=0A>= >=A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 </td>=0A>>=A0 =A0 =A0 = =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 <td width=3D"49"> </td>=0A>>= =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 </tr>=0A>>=A0 =A0 =A0 =A0 = =A0 =A0 =A0 =A0 =A0 </table>=0A>>=A0 =A0 =A0 =A0 =A0 =A0 =A0 </table>=0A>>= =A0 =A0 =A0 =A0 =A0 </form>=0A>>=A0 =A0 =A0 </body>=0A>> =0A>> Here's the a= ccess log=A0 the entries at 15;34 are using Firefox,=A0 the ones at 15:42 a= re Google's browser=0A>> =0A>> =0A>> 69.207.4.57 - - [27/Mar/2011:15:34:16 = -0700] "GET /Dynacorn/catalog/dealerwelcome.jsp HTTP/1.1" 200 1870=0A>> 69.= 207.4.57 - - [27/Mar/2011:15:34:27 -0700] "POST /Dynacorn/catalog/authContr= ol.jsp HTTP/1.1" 302 -=0A>> 69.207.4.57 - - [27/Mar/2011:15:34:27 -0700] "G= ET /Dynacorn/catalog/dealer/dealerwelcome.jsp=0A>>=A0 HTTP/1.1" 200 1893= =0A>> 69.207.4.57 - - [27/Mar/2011:15:34:30 -0700] "POST /Dynacorn/catalog/= dealer/j_security_check HTTP/1.1" 302 -=0A>> 69.207.4.57 - sor@sor.com [27/= Mar/2011:15:34:30 -0700] "GET /Dynacorn/catalog/dealer/dealerwelcome.jsp HT= TP/1.1" 500 2158=0A>> 69.207.4.57 - - [27/Mar/2011:15:42:14 -0700] "GET /Dy= nacorn/catalog/dealerwelcome.jsp HTTP/1.1" 200 1870=0A>> 69.207.4.57 - - [2= 7/Mar/2011:15:42:20 -0700] "POST /Dynacorn/catalog/authControl.jsp HTTP/1.1= " 302 -=0A>> 69.207.4.57 - - [27/Mar/2011:15:42:20 -0700] "GET /Dynacorn/ca= talog/dealer/dealerwelcome.jsp HTTP/1.1" 200 1893=0A>> 69.207.4.57 - - [27/= Mar/2011:15:42:23 -0700] "POST /Dynacorn/catalog/dealer/j_security_check HT= TP/1.1" 200 676=0A>> there are no more entries=0A>> =0A>> =0A>> Again, IE &= Firefox work fine, Mac, Google and Safari don't.=0A>> =0A>> Thanks for you= r help,=0A>> Dick=0A> =0A> =0A> -------------------------------------------= --------------------------=0A> To unsubscribe, e-mail: users-unsubscribe@to= mcat.apache.org=0A> For additional commands, e-mail: users-help@tomcat.apac= he.org=0A=0A=0A------------------------------------------------------------= ---------=0ATo unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org=0AF= or additional commands, e-mail: users-help@tomcat.apache.org
Mime	Unnamed multipart/alternative (inline, None, 0 bytes) Unnamed text/plain (inline, None, 14805 bytes)
	View raw message