302 inconsistency between JBoss 2.4.4 and JBoss 3.2
ibutcher Nov 21, 2003 9:48 AMHi,
I am assessing how much work it would be to move from my comfortable and stable 2.4 container up to 3.2 and I've found some weirdness in the web container.
Below are two http traces (I can't seem to attach them), one from 2.4.4 (with tomcat 3.2) and the other from 3.2.0 (I've tried it with 3.2.2 and had the same results). Basically it looks like the 302 that is being sent from Jetty is broken.
The behaviour that works in 2.4.4 and that I would expect to work in 3.2 is this:
1. user tries to go to the URL /pds/ui and they are redirected (302) to the the index.jsp.
2. index.jsp is protected so the container sends a 302 to the login form (form based auth).
3. browser loads the page by issuing some GETS.
4. user enter their user id and password (POST).
5. browser now goes to index.jsp.
I have also put the relevant web.xml at the end of this post in case that helps.
Any thoughts on whether I am at fault here and 2.4 was just helping me out or whether there is a problem in 3.2 would be appreciated.
Regards,
Ian.
JBoss 2.4.4
=================
Browser --> JBoss
GET /pds/ui HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-powerpoint, application/vnd.ms-excel, application/msword, */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Host: localhost:8080
Connection: Keep-Alive
Browser <-- JBoss
HTTP/1.0 302 Found
Content-Type: text/html
Location: http://localhost:8080/pds/ui/index.jsp
Content-Length: 171
Servlet-Engine: Tomcat Web Server/3.2.3 (JSP 1.1; Servlet 2.2; Java 1.4.2_02; Windows XP 5.1 x86; java.vendor=Sun Microsystems Inc.)
Document moved
<h1>Document moved</h1>
This document has moved here.
Browser --> JBoss
GET /pds/ui/index.jsp HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-powerpoint, application/vnd.ms-excel, application/msword, */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Host: localhost:8080
Connection: Keep-Alive
Browser <-- JBoss
HTTP/1.0 302 Found
Content-Type: text/html
Location: http://localhost:8080/pds/login/login.html
Content-Length: 175
Set-Cookie2: JSESSIONID=vbxvruvnv1;Version=1;Discard;Path="/pds"
Set-Cookie: JSESSIONID=vbxvruvnv1;Path=/pds
Servlet-Engine: Tomcat Web Server/3.2.3 (JSP 1.1; Servlet 2.2; Java 1.4.2_02; Windows XP 5.1 x86; java.vendor=Sun Microsystems Inc.)
Document moved
<h1>Document moved</h1>
This document has moved here.
Browser --> JBoss
GET /pds/login/login.html HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-powerpoint, application/vnd.ms-excel, application/msword, */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Host: localhost:8080
Connection: Keep-Alive
If-Modified-Since: Thu, 16 Oct 2003 13:56:26 GMT; length=2867
Cookie: JSESSIONID=vbxvruvnv1
Browser <-- JBoss
HTTP/1.0 200 OK
Content-Type: text/html
Content-Length: 2867
Last-Modified: Thu, 16 Oct 02003 13:56:26 GMT
Servlet-Engine: Tomcat Web Server/3.2.3 (JSP 1.1; Servlet 2.2; Java 1.4.2_02; Windows XP 5.1 x86; java.vendor=Sun Microsystems Inc.)
...
...
Browser --> JBoss
GET /pds/image/logo.gif HTTP/1.1
Accept: */*
Referer: http://localhost:8080/pds/login/login.html
Accept-Language: en-us
Accept-Encoding: gzip, deflate
If-Modified-Since: Fri, 25 Jan 2002 15:18:56 GMT; length=2901
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Host: localhost:8080
Connection: Keep-Alive
Cookie: JSESSIONID=vbxvruvnv1
Browser --> JBoss
GET /pds/image/XXX.gif HTTP/1.1
Accept: */*
Referer: http://localhost:8080/pds/login/login.html
Accept-Language: en-us
Accept-Encoding: gzip, deflate
If-Modified-Since: Thu, 13 Dec 2001 19:07:32 GMT; length=77
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Host: localhost:8080
Connection: Keep-Alive
Cookie: JSESSIONID=vbxvruvnv1
Browser --> JBoss
GET /pds/image/YYY.gif HTTP/1.1
Accept: */*
Referer: http://localhost:8080/pds/login/login.html
Accept-Language: en-us
Accept-Encoding: gzip, deflate
If-Modified-Since: Thu, 13 Dec 2001 19:07:32 GMT; length=77
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Host: localhost:8080
Connection: Keep-Alive
Cookie: JSESSIONID=vbxvruvnv1
Browser <-- JBoss
HTTP/1.0 200 OK
Content-Type: image/gif
Content-Length: 2901
Last-Modified: Fri, 25 Jan 02002 15:18:56 GMT
Servlet-Engine: Tomcat Web Server/3.2.3 (JSP 1.1; Servlet 2.2; Java 1.4.2_02; Windows XP 5.1 x86; java.vendor=Sun Microsystems Inc.)
Browser --> JBoss
POST /pds/login/j_security_check HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-powerpoint, application/vnd.ms-excel, application/msword, */*
Referer: http://localhost:8080/pds/login/login.html
Accept-Language: en-us
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Host: localhost:8080
Content-Length: 50
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: JSESSIONID=vbxvruvnv1
j_username=XXXXXXXXX&j_password=XXXXXXXX&Submit=Submit
JBoss 3.2.0
===============
Browser --> JBoss
GET /pds/ui HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-powerpoint, application/vnd.ms-excel, application/msword, */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Host: localhost:8080
Connection: Keep-Alive
Browser <-- JBoss
HTTP/1.1 302 Moved Temporarily
Date: Wed, 19 Nov 2003 14:23:26 GMT
Server: Jetty/4.2.9 (Windows XP/5.1 x86 java/1.4.2_02)
Location: http://localhost:8080/pds/ui/
Transfer-Encoding: chunked
0
Browser --> JBoss
GET /pds/ui/ HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-powerpoint, application/vnd.ms-excel, application/msword, */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Host: localhost:8080
Connection: Keep-Alive
Web.xml
============
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE web-app
PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.2//EN"
"http://java.sun.com/j2ee/dtds/web-app_2_2.dtd">
<web-app>
<!-- added for jikes support in tomcat -->
<!--
<servlet-name>
jsp
</servlet-name>
<servlet-class>
org.apache.jasper.servlet.JspServlet
</servlet-class>
<init-param>
<param-name>jspCompilerPlugin</param-name>
<param-value>org.apache.jasper.compiler.JikesJavaCompiler</param-value>
</init-param>
<load-on-startup>
-2147483646
</load-on-startup>
-->
<!-- added for jikes support in tomcat -->
<!-- <servlet-mapping>
<servlet-name>
jsp
</servlet-name>
<url-pattern>
*.jsp
</url-pattern>
</servlet-mapping> -->
<!-- ### Added JSP Support for JSP Tags -->
<taglib-uri>pgstags</taglib-uri>
<taglib-location>/WEB-INF/lib/pgstags.jar</taglib-location>
<!-- ### Added support for Apache's xtags -->
<taglib-uri>xtags</taglib-uri>
<taglib-location>/WEB-INF/lib/taglibs-xtags.tld</taglib-location>
<!-- ### Security NOTE As Per DTD there should only be one of these for each ROLE -->
<security-constraint>
<!-- ### Specify the WEB Method names that we are securing here -->
<web-resource-collection>
<web-resource-name>Restricted</web-resource-name>
Secure Servlets
<url-pattern>/ui/administration/*</url-pattern>
<url-pattern>/ui/application/*</url-pattern>
<url-pattern>/ui/buttons/*</url-pattern>
<url-pattern>/ui/command/*</url-pattern>
<url-pattern>/ui/device/*</url-pattern>
<url-pattern>/ui/devicetype/*</url-pattern>
<url-pattern>/ui/error/*</url-pattern>
<url-pattern>/ui/iconbar/*</url-pattern>
<url-pattern>/ui/install/*</url-pattern>
<url-pattern>/ui/logging/*</url-pattern>
<url-pattern>/ui/navigation/*</url-pattern>
<url-pattern>/ui/png/*</url-pattern>
<url-pattern>/ui/popup/*</url-pattern>
<url-pattern>/ui/patch/*</url-pattern>
<url-pattern>/ui/status/*</url-pattern>
<url-pattern>/ui/user/*</url-pattern>
<url-pattern>/ui/xml/*</url-pattern>
<!--<url-pattern>@secure-alias@/*</url-pattern>-->
<http-method>HEAD</http-method>
<http-method>GET</http-method>
<http-method>POST</http-method>
<http-method>PUT</http-method>
<http-method>DELETE</http-method>
</web-resource-collection>
<!-- ### Define SUPER Role as per ejb-jar descriptors
Note cannot defile multiple roles here -->
<auth-constraint>
<role-name>SUPER</role-name>
<role-name>ADMIN</role-name>
</auth-constraint>
<!-- <user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>-->
</security-constraint>
<!-- ### Security NOTE As Per DTD there should only be one of these for each ROLE -->
<security-constraint>
<!-- ### Specify the WEB Method names that we are securing here -->
<web-resource-collection>
<web-resource-name>Restricted</web-resource-name>
Secure Servlets
<url-pattern>/ui/sipxchange/*</url-pattern>
<url-pattern>/ui/initialize/*</url-pattern>
<url-pattern>/ui/profile/*</url-pattern>
<url-pattern>/ui/popup/*</url-pattern>
<url-pattern>/ui/script/*</url-pattern>
<url-pattern>/ui/help/*</url-pattern>
<url-pattern>/ui/xml/update_configuration_set.jsp</url-pattern>
<url-pattern>/ui/index.jsp</url-pattern>
<url-pattern>/ui/welcome.jsp</url-pattern>
<url-pattern>/ui/frameset.html</url-pattern>
<!--<url-pattern>@secure-alias@/*</url-pattern>-->
<http-method>HEAD</http-method>
<http-method>GET</http-method>
<http-method>POST</http-method>
<http-method>PUT</http-method>
<http-method>DELETE</http-method>
</web-resource-collection>
<!-- ### Define SUPER Role as per ejb-jar descriptors
Note cannot defile multiple roles here -->
<auth-constraint>
<role-name>SUPER</role-name>
<role-name>ADMIN</role-name>
<role-name>END_USER</role-name>
</auth-constraint>
<!--<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>-->
</security-constraint>
<!-- ### Security for Commserver UI pages -->
<security-constraint>
<!-- ### Specify the WEB Method names that we are securing here -->
<web-resource-collection>
<web-resource-name>CommserverUI</web-resource-name>
Secure CommserverUI
<url-pattern>/commserver/*</url-pattern>
<!--<url-pattern>@secure-alias@/*</url-pattern>-->
<http-method>HEAD</http-method>
<http-method>GET</http-method>
<http-method>POST</http-method>
<http-method>PUT</http-method>
<http-method>DELETE</http-method>
</web-resource-collection>
<!-- ### Define SUPER Role as per ejb-jar descriptors
Note cannot defile multiple roles here -->
<auth-constraint>
<role-name>SUPER</role-name>
<role-name>ADMIN</role-name>
</auth-constraint>
<!-- <user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>-->
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/login/login.html</form-login-page>
<form-error-page>/login/error.html</form-error-page>
</form-login-config>
</login-config>
<security-role>
Role Requirements to call Servlets
<role-name>SUPER</role-name>
</security-role>
</web-app>