Using JBoss 3.2.1 and Tomcat 4.1.24

We have configured our index.jsp to do a META refresh to a protected index page "/app/index.do". The login configuration is specified in web.xml as the following:

<login-config>
<auth-method>FORM</auth-method>
<realm-name>app</realm-name>
<form-login-config>
<form-login-page>/login.htm</form-login-page>
<form-error-page>/loginError.htm</form-error-page>
</form-login-config>
</login-config>

so that when you hit the base URL of the app, the browser opens the protected resource URL, then gets redirected to login.htm. Then the user can login with username and password, the login page form goes to the j_security_check URL, they get authenticated, and they hit the protected resource index URL. So far, so good.

The problem comes when the user puts in that initial URL, gets the login page, and bookmarks it. The bookmark is the login.htm page. When the user comes back to the login.htm page the next day, they have bypassed the index.jsp and the protected resource. So when they attempt to log in, Tomcat (I think) generates the following error: "HTTP Status 400 - Invalid direct reference to form login page".

I've tried three workaround strategies, without success.

1) Add a specification for an error page for error 400 in the web.xml file.

I added the following spec to the web.xml file:

<error-page>
<error-code>400</error-code>
/index.jsp
</error-page>

This had the effect of redirecting the user back to the login page. A second login attempt was successful, as might be expected. It appears that the initial attempt to login bypasses container authentication.

Then I modified the XML tag to the following protected resource URL:

<error-page>
<error-code>400</error-code>
/app/index.do
</error-page>

After doing this, a first login attempt did in fact reach the protected resource page, but a call to request.getUserPrincipal() returned null. This suggests that the container authentication was bypassed completely.

2) Convert login.htm to login.jsp, and add some code to the top to check for referring page in request header

I undid the previous changes, changed configuration to use login.jsp, and added the following scriptlet to the top of the JSP:

<%
if (request.getHeader("Referer") == null) {
response.sendRedirect("index.jsp");
}
%>

This had the effect of sending the browser into an endless redirect loop. It appears that the container authentication code doesn't pass along a referring URL in the HTTP header when directing out of a protected resource into the login page.

3) Changing index.jsp to use a response.sendRedirect() instead of a META tag to get to the protected resource page

This sent the browser directly from login.jsp to index.jsp to the protected resource, and again request.getUserPrincipal() returned null, because no container authentication had been performed.



so now, I am at my wit's end, and I am fresh out of ideas. Any suggestions would be appreciated.