Problems with j_security_check using Tomcat 4.
s98dance Nov 24, 2001 5:01 PMI have two problems with the j_security_check action that I use in my login page.
The first is about when a user trying to access a protected page but don't have the rights to do that.
1. The user type in a wrong user name or password and then it will send him to the error page.
If he get back to the login page and type the right user name and password he will get into the
protected site that he had access too.
If he trying again and type in the right user name and password he will get into the
protected site that he had access too and that so that's working fine but...
2. ..if a user who have access to some sites but not to that one he wants to get into, it will
send him a "Apache Tomcat/4.0.1 - HTTP Status 403 - Access to the requested resource has
been denied"-page. Now if he get back to the login-page and try with a accessable user name and password
to the same page it will send him a "Apache Tomcat/4.0.1 - HTTP Status 404 - /j_security_check" page
with the description:"The requested resource (/j_security_check) is not available".
Is this a bug in the Tomcat 4 or is it a way to fix that problem.
My other problem is about that "Access to the requested resource has been denied"-page.
I want the user to be send to my error-page instead of that HTTP Status 403 -page. If I could
do that maybe my other problemn would be fixed also. Check my code:
login.jsp page
Login Page
<form method="POST" action='<%= response.encodeURL("j_security_check") %>' >
Username:
Password:
--------------------------------------------------------------------------------
error.jsp page
Error Page
Invalid username and/or password, please try
<a href='<%= response.encodeURL("login.jsp") %>'>again.
-------------------------------------------------------------------------------
me security site code:
<%
if (request.getParameter("logoff") != null) {
session.invalidate();
response.sendRedirect("article.jsp");
return;
}
<a href='<%= response.encodeURL("article.jsp?logoff=true")%>'>LOGOFF
--------------------------------------------------------------------------------
web.xml
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE web-app
PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN"
"http://java.sun.com/dtd/web-app_2_3.dtd">
<web-app>
<security-constraint>
<display-name>Example Security Constraint</display-name>
<web-resource-collection>
<web-resource-name>Protected Area</web-resource-name>
<url-pattern>/transport/*</url-pattern>
<http-method>DELETE</http-method>
<http-method>GET</http-method>
<http-method>POST</http-method>
<http-method>PUT</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>trans</role-name>
<role-name>admin</role-name>
</auth-constraint>
</security-constraint>
<security-constraint>
<display-name>Example Security</display-name>
<web-resource-collection>
<web-resource-name>Protected</web-resource-name>
<url-pattern>/supplier/*</url-pattern>
<http-method>DELETE</http-method>
<http-method>GET</http-method>
<http-method>POST</http-method>
<http-method>PUT</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>supp</role-name>
<role-name>admin</role-name>
</auth-constraint>
</security-constraint>
<security-constraint>
<display-name>Example Security</display-name>
<web-resource-collection>
<web-resource-name>Protected</web-resource-name>
<url-pattern>/customer/*</url-pattern>
<http-method>DELETE</http-method>
<http-method>GET</http-method>
<http-method>POST</http-method>
<http-method>PUT</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>cust</role-name>
<role-name>admin</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/login.jsp</form-login-page>
<form-error-page>/error.jsp</form-error-page>
</form-login-config>
</login-config>
</web-app>
It would be so great if someone could help me