«

Greetings,
I was wondering if anyone found a workaround the following mystery.
I have a tomcat ver. 5-24 that uses realm authentication.

I use form authentication, which, by the way, work great. Below is the
snip from my web.xml file

<security-constraint>
<web-resource-collection>
<web-resource-name>User Section</web-resource-name>
<description>no description</description>
<url-pattern>/protected/*</url-pattern>
<http-method>POST</http-method>
<http-method>GET</http-method>
</web-resource-collection>
<auth-constraint>
<description>no description</description>
<role-name>tomcat</role-name>
</auth-constraint>
<user-data-constraint>
<description>no description</description>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>


<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/login.jsp</form-login-page>
<form-error-page>/login.jsp?error=true</form-error-page>
</form-login-config>
</login-config>


when i try to access any files in the protected directory i am
redirected to
login.jsp, as expected. the IE location bar says
http://xxx.xxx.xxx.xxx/login.jsp
when i enter incorrect name/password i am redirected back to login.jsp
with querystring error=true. so the above configuration works.
But the IE location bar says http://xxx.xxx.xxx.xxx/j_security_check
is there a way to show the http://xxx.xxx.xxx.xxx/login.jsp?error=true
instead of http://xxx.xxx.xxx.xxx/j_security_check? this could be
confusing to users.

Any help is appreciated.

Rus

"Rusty Bawa" <> wrote in message
news: om...
> But the IE location bar says http://xxx.xxx.xxx.xxx/j_security_check
> is there a way to show the http://xxx.xxx.xxx.xxx/login.jsp?error=true
> instead of http://xxx.xxx.xxx.xxx/j_security_check? this could be
> confusing to users.
>
This is a browser thing and a source of continual headaches to web
developers. Consider Struts where everything is (should be) done by an
action. Suppose you want to add a user or something. What do you do? Fill
out the form, click submit, and what's in the address bar? The add action.
So if you hit refresh, it'll try to add again. Of course Struts has a method
to prevent things like this, but the short answer to your question (too
late, huh?) is not without writing an intermediate page that will redirect
you to your login page.

I have a question for you, though. I've recently been experimenting with
container managed security, and have hit a problem. I notice you don't seem
to be using SSL for your login form. Have you tried it? I'm using Tomcat
4.1.30 with SSL. Basic authentication works fine, but when I try form based
auth, it uses secure protocol, but on the wrong port. It tries to access
https://localhost:8080/secureApp/login.jsp. 8080 is the non-secure port. It
should be trying 8081, which I set as the secure port. Have you run into
this? I can't figure out what's wrong.

I do not know how, but this can be done.
Check www.vectrics.com
going to http://www.vectrics.com/recruit/profile requires
authentication so you are forwarded to
http://www.vectrics.com/recruit/util/login.do
Hit sign in button and check the location bar.

Again I do not know who this is done.



"Ryan Stewart" <> wrote in message news:<wNudnYPKdbFc_iPdRVn->...
> "Rusty Bawa" <> wrote in message
> news: om...
> > But the IE location bar says http://xxx.xxx.xxx.xxx/j_security_check
> > is there a way to show the http://xxx.xxx.xxx.xxx/login.jsp?error=true
> > instead of http://xxx.xxx.xxx.xxx/j_security_check? this could be
> > confusing to users.
> >
> This is a browser thing and a source of continual headaches to web
> developers. Consider Struts where everything is (should be) done by an
> action. Suppose you want to add a user or something. What do you do? Fill
> out the form, click submit, and what's in the address bar? The add action.
> So if you hit refresh, it'll try to add again. Of course Struts has a method
> to prevent things like this, but the short answer to your question (too
> late, huh?) is not without writing an intermediate page that will redirect
> you to your login page.
>
> I have a question for you, though. I've recently been experimenting with
> container managed security, and have hit a problem. I notice you don't seem
> to be using SSL for your login form. Have you tried it? I'm using Tomcat
> 4.1.30 with SSL. Basic authentication works fine, but when I try form based
> auth, it uses secure protocol, but on the wrong port. It tries to access
> https://localhost:8080/secureApp/login.jsp. 8080 is the non-secure port. It
> should be trying 8081, which I set as the secure port. Have you run into
> this? I can't figure out what's wrong.

Ryan Stewart <> wrote:
[...]
> I've recently been experimenting with
> container managed security, and have hit a problem. I notice you don't seem
> to be using SSL for your login form. Have you tried it? I'm using Tomcat
> 4.1.30 with SSL. Basic authentication works fine, but when I try form based
> auth, it uses secure protocol, but on the wrong port. It tries to access
> https://localhost:8080/secureApp/login.jsp. 8080 is the non-secure port. It
> should be trying 8081, which I set as the secure port. Have you run into
> this? I can't figure out what's wrong.

Assuming that both connectors are configured, does the connector for port
8080 know that the secure port is 8081? I forgot that one once...


Oscar

--
Oscar Kind http://home.hccnet.nl/okind/
Software Developer for contact information, see website

PGP Key fingerprint: 91F3 6C72 F465 5E98 C246 61D9 2C32 8E24 097B B4E2

"Oscar kind" <> wrote in message
news:ujc7p1-...
> Ryan Stewart <> wrote:
> [...]
> > I've recently been experimenting with
> > container managed security, and have hit a problem. I notice you don't
seem
> > to be using SSL for your login form. Have you tried it? I'm using Tomcat
> > 4.1.30 with SSL. Basic authentication works fine, but when I try form
based
> > auth, it uses secure protocol, but on the wrong port. It tries to access
> > https://localhost:8080/secureApp/login.jsp. 8080 is the non-secure port.
It
> > should be trying 8081, which I set as the secure port. Have you run into
> > this? I can't figure out what's wrong.
>
> Assuming that both connectors are configured, does the connector for port
> 8080 know that the secure port is 8081? I forgot that one once...
>
>
> Oscar
>
Snippet from my connectors:
<Connector className="org.apache.coyote.tomcat4.CoyoteConnect or" ...
port="8080" ... redirectPort="8081" scheme="http" secure="false" ...>
<Factory
className="org.apache.catalina.net.DefaultServerSo cketFactory"/>
</Connector>
<Connector className="org.apache.coyote.tomcat4.CoyoteConnect or" ...
port="8009" ... redirectPort="8081" scheme="http" secure="false" ... >
<Factory
className="org.apache.catalina.net.DefaultServerSo cketFactory"/>
</Connector>
<Connector className="org.apache.catalina.connector.http.Http Connector"
port="8081" ... scheme="https" secure="true">
<Factory className="org.apache.catalina.net.SSLServerSocket Factory"
clientAuth="false" keystoreFile=".keystore" protocol="TLS"/>
</Connector>

Isn't that all the important stuff? This is the same problem that you
replied to about a week ago under subject: "J2EE container managed
security". If you recall from that post, other redirects work fine from the
nonsecure to the secure port, but when I try to use form-based
authentication with <transport-guarantee>CONFIDENTIAL</transport-guarantee>,
it tries to access the nonsecure port with https. Unless I'm mistaken, it's
*supposed* to go to the secure port for the login. It only makes sense for
it to. It just seems like it only makes it halfway there. I've even
downloaded some example code of form-based authentication. One was a
complete webapp. But all of the examples I see don't use a
transport-guarantee or use NONE, and when I plug in CONFIDENTIAL, it causes
this problem.