tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From removeps-c...@yahoo.com
Subject Re: not able to access URL in 2nd app in 7.0.23
Date Thu, 26 Jan 2012 03:59:53 GMT
> When Tomcat receives an unauthenticated request for a
> protected resource
> it intercepts and saves that request, then forwards to the
> resource
> defined in the login config.

True.  Also, I'm not making the request through Firefox.  I did that below as part of my debugging
only.

I have a Java application.  It calls

      HttpsURLConnection.setFollowRedirects(false);

At some point it calls

      HttpsURLConnection connection = (HttpsURLConnection) url.openConnection();

where url is "https://localhost:6143/myapp/folder/action.do".  Then there is a call to

      connection.setRequestMethod("POST");

along with the other usual methods for a post request.

T server intercepts this message and internally directs to /login.html.  Either a servlet
should build this page or it should exist.  However, in 7.0.22 a POST request is made to this
page, whereas in 7.0.23 a GET request is made.  Is this a bug in tomcat, a feature in tomcat,
or required by the spec?

Then the login.html page is generated and sent back to the client.

The client will then read this message and verify it is the expected login page.  The client
will then send a post request to https://localhost:6143/myapp/j_security_check providing the
username and password.

At this point the server will authenticate, and if valid, will send 302 (redirect) with the
URL as the page that was originally requested.

The Java client should now repeat the original post request.

Hope this is clear.


--- On Wed, 1/25/12, Pid <pid@pidster.com> wrote:

> From: Pid <pid@pidster.com>
> Subject: Re: not able to access URL in 2nd app in 7.0.23
> To: "Tomcat Users List" <users@tomcat.apache.org>
> Date: Wednesday, January 25, 2012, 2:59 PM
> On 25/01/2012 22:03, removeps-code@yahoo.com
> wrote:
> >> So, you're saying that the method value 'POST' is
> not
> >> preserved after
> >> successful authentication and appears to be
> converted to a
> >> 'GET'?
> > 
> > No, what I said is the my original request to https://mydomain/myapp/action.do is
a POST request, and
> the web.xml says to send me the the login-config page and
> this request used to be POST in 7.0.22 and is GET in
> 7.0.23.  After successful authentication the user must
> resubmit the original POST request because this does not
> happen automatically.
> 
> I don't understand, what does "and this request used to be
> POST" mean then?
> 
> The login form defines the method used to send the request,
> the browser
> sends it, not Tomcat.
> 
> When Tomcat receives an unauthenticated request for a
> protected resource
> it intercepts and saves that request, then forwards to the
> resource
> defined in the login config.
> 
> If the login form action is successful, the previous
> request is restored
> and executed.  So I asked if the request is not being
> restored properly...
> 
> So either you're telling us that there's a bug in Tomcat,
> or you're
> telling us something else and I don't know what that is.
> 
> Can you reproduce the error using a clean & simple
> application config?
> 
> 
> p
> 
> 
> > --- On Wed, 1/25/12, Pid <pid@pidster.com>
> wrote:
> > 
> >> From: Pid <pid@pidster.com>
> >> Subject: Re: not able to access URL in 2nd app in
> 7.0.23
> >> To: "Tomcat Users List" <users@tomcat.apache.org>
> >> Date: Wednesday, January 25, 2012, 1:24 PM
> >> On 25/01/2012 18:35, removeps-code@yahoo.com
> >> wrote:
> >>> OK here's what I tried:  I removed
> https.  A
> >> request through Firefox to http://localhost:6144/myapp/folder/action.do still
> >> gives 404.  I overrode doGet of the servlet
> class to
> >> print whether get/post and the
> request.getRequestURI and it
> >> is
> >>>
> >>> get /myapp/folder/action.do
> >>>
> >>> This is the same as before.  My servlet
> has code
> >> like this
> >>>
> >>>        if
> >> (uri.equals("/myapp/folder/action.do"))
> >>>
> >>> in the doPost method so it would process this
> action.
> >>>
> >>> So the problem has to do with https.  I
> put the
> >> security-constraint stuff back in but removed the
> >> auth-constraint, so everything is https but
> requires no
> >> authentication.  What gets printed when you
> go to https://localhost:6143/myapp/folder/action.do is still
> >>>
> >>> get /myapp/folder/action.do
> >>>
> >>> So the issue is with the auth-constraint.
> >>>
> >>> In my real code, my code makes a POST request
> to the
> >> given URL.  I re-ran this test:
> >>>
> >>> So now it looks like the issue is this:
> >>>
> >>> (a) In 7.0.22 and earlier versions my code
> made a POST
> >> request to https://localhost:6143/myapp/folder/action.do.
> >>> (b) Tomcat made a POST request to the login
> page https://localhost:6143/myapp/login.html
> >>> (c) My servlet got called, and the doPost
> method of
> >> the servlet got called.
> >>>
> >>> But in 7.0.23 (b) Tomcat is making a GET
> request to https://localhost:6143/myapp/login.html
> >>>
> >>> Thus I must move/copy my code in doPost to
> build
> >> login.html into doGet.
> >>>
> >>> This did work.
> >>
> >> So, you're saying that the method value 'POST' is
> not
> >> preserved after
> >> successful authentication and appears to be
> converted to a
> >> 'GET'?
> >>
> >>
> >> p
> >>
> >>> --- On Wed, 1/25/12, removeps-code@yahoo.com
> >> <removeps-code@yahoo.com>
> >> wrote:
> >>>
> >>>> From: removeps-code@yahoo.com
> >> <removeps-code@yahoo.com>
> >>>> Subject: Re: not able to access URL in 2nd
> app in
> >> 7.0.23
> >>>> To: "Tomcat Users List" <users@tomcat.apache.org>
> >>>> Date: Wednesday, January 25, 2012, 9:10
> AM
> >>>> Replies in place
> >>>>
> >>>> --- On Wed, 1/25/12, Pid <pid@pidster.com>
> >>>> wrote:
> >>>>
> >>>>> From: Pid <pid@pidster.com>
> >>>>> Subject: Re: not able to access URL in
> 2nd app
> >> in
> >>>> 7.0.23
> >>>>> To: "Tomcat Users List" <users@tomcat.apache.org>
> >>>>> Date: Wednesday, January 25, 2012,
> 12:55 AM
> >>>>> On 25/01/2012 02:49, removeps-code@yahoo.com
> >>>>> wrote:
> >>>>>> In my webapps folder there are
> two
> >> folders:
> >>>> ROOT,
> >>>>> myapp.  ROOT is the default app.
> >>>>>>
> >>>>>> In myapp/WEB-INF/web.xml there is
> >>>>>>
> >>>>>> 
>    <servlet>
> >>>>>>   
> >>>>>
> >>>>    
> >>
> <servlet-name>MyServlet</servlet-name>
> >>>>>>   
> >>>>>
> >>>>    
> >>
> <servlet-class>package.MyServlet</servlet-class>
> >>>>>>   
> >>>>>
> >>>>    
> >> <load-on-startup>1</load-on-startup>
> >>>>>> 
>    </servlet>
> >>>>>> 
>    <servlet-mapping>
> >>>>>>   
> >>>>>
> >>>>    
> >>
> <servlet-name>MyServlet</servlet-name>
> >>>>>>   
> >>>>>
> >>>>    
> >>
> <url-pattern>/folder/action.do</url-pattern>
> >>>>>> 
>    </servlet-mapping>
> >>>>>>
> >>>>>> When I go to http://host/myapp/folder/action.do in Tomcat 7.0.22
it
> >>>>> invokes myapp, MyServlet.  Even
> some
> >> versions of
> >>>> Tomcat
> >>>>> 6.x did this.
> >>>>>>
> >>>>>> But in Tomcat 7.0.23 it generates
> 404 page
> >> not
> >>>> found.
> >>>>>>
> >>>>>> Any idea what I can do?
> >>>>>
> >>>>> What do the log files report, during
> >> application
> >>>> startup
> >>>>> and when you
> >>>>> try to access the page?
> >>>>
> >>>> During startup I see
> >>>>
> >>>> INFO: Deploying web application directory
> >>>>
> >>
> /home/myusername/jvm/apache-tomcat-7.0.23/domains/mydomain/myapp
> >>>>
> >>>> When going to the page, no logs are
> generated. 
> >>>> However I put a System.out.println
> statement in
> >> the default
> >>>> servlet of myapp to print the
> getRequestURI() and
> >> find that
> >>>> the following URI is hit
> "/myapp/404.html".
> >>>>
> >>>> The myapp/WEB-INF/web.xml has
> >>>>
> >>>>    <error-page>
> >>>>  
> >>   
> <error-code>404</error-code>
> >>>>  
> >>   
> <location>/404.html</location>
> >>>>    </error-page>
> >>>>
> >>>> So this means that the myapp servlet is
> invoked,
> >> which is a
> >>>> good thing.  But the URL I went to is
> https://mydomain/myapp/folder/action.do.
> >>>>
> >>>> The servlet that is supposed to handle
> >> /folder/action.do is
> >>>> not invoked.
> >>>>
> >>>> Nor should it be invoked.  There is
> an https
> >> security
> >>>> constraint in myapp/WEB-INF/web.xml to
> direct the
> >> user to
> >>>> myapp/login.html.  This page is
> generated by
> >> the
> >>>> default servlet as well.
> >>>>
> >>>> So I will try two things.  First,
> remove the
> >> https to
> >>>> see if it works.  Second, change the
> >> url-mapping from
> >>>> an exact match like
> "/myapps/folder/action.do" to
> >>>> "*.action.do"
> >>>>   
> >>>>>
> >>>>> p
> >>>>>
> >>>>>> I'm gonna check if it works in
> 7.0.25.
> >>>>
> >>>> FYI, it does not work in 7.0.25 either.
> >>>>
> >>>>
> >>
> ---------------------------------------------------------------------
> >>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> >>>> For additional commands, e-mail: users-help@tomcat.apache.org
> >>>>
> >>>>
> >>>
> >>>
> >>
> ---------------------------------------------------------------------
> >>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> >>> For additional commands, e-mail: users-help@tomcat.apache.org
> >>>
> >>
> >>
> >> -- 
> >>
> >> [key:62590808]
> >>
> >>
> > 
> >
> ---------------------------------------------------------------------
> > To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> > For additional commands, e-mail: users-help@tomcat.apache.org
> > 
> 
> 
> -- 
> 
> [key:62590808]
> 
> 

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message