tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jerry Malcolm <>
Subject request.login() not persistent
Date Wed, 04 Apr 2012 21:31:25 GMT
I am using TC 7.0 on a couple of servers.  I have id/pw fields and a
'login' button at the top of all guest pages on my site.  If the user
clicks the login, it goes to a guest page that does the request.login()
method call and then redirects to a protected page.  If the login fails,
the normal j_security login form stuff kicks in on the protected page and
the user logs in the old way.

OK, this worked on one server for several months.  It never worked on the
other server.  On that server, the request.login() succeeded according to
the logs.  But when it redirected to the protected page, the j_security
login form would appear.  I could log in from there and everything was

Then a couple of weeks ago, the server that was working just started doing
the same thing.  So now, the request.login() is useless.

I am looking at the logs.  The request.login() succeeded.  And the
request.getUserPrincipal() is the correct after the login on that page.
But as soon as I redirect to another page, the userPrincipal is now null.

I'm not saying I didn't have some configuration something wrong somewhere
on one of the servers and now it's wrong on both. But I'm totally baffled.
I have no clue what could be going wrong.  I'm not invalidating the session
or doing a request.logoff().  The sessionId is the same on the login page
and the subsequent redirect page.  And again, if I now login using the
j_security form on the redirected target page, I'm logged in for the
duration.  So it's nothing like an invalid id/pw or anything (and it fails
the same on all id/pws)

My first question... am I totally wrong on my philosophy for using the
request.login() method and redirecting to a protected page once logged in?
It did work for months.  So I assume that's not a fundamental design

If the design is ok, what's happening?  The log shows I'm logged in at the
end of one page that had the request.login() and then I'm not logged in at
the beginning of the redirect target page.

Any suggestions for what to try? How can I debug this?


  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message