7 Replies Latest reply on Jun 18, 2003 11:39 AM by mv

Problems with j_security_check using Tomcat 4.

s98dance Nov 24, 2001 5:01 PM

I have two problems with the j_security_check action that I use in my login page.
The first is about when a user trying to access a protected page but don't have the rights to do that.
1. The user type in a wrong user name or password and then it will send him to the error page.
If he get back to the login page and type the right user name and password he will get into the
protected site that he had access too.
If he trying again and type in the right user name and password he will get into the
protected site that he had access too and that so that's working fine but...
2. ..if a user who have access to some sites but not to that one he wants to get into, it will
send him a "Apache Tomcat/4.0.1 - HTTP Status 403 - Access to the requested resource has
been denied"-page. Now if he get back to the login-page and try with a accessable user name and password
to the same page it will send him a "Apache Tomcat/4.0.1 - HTTP Status 404 - /j_security_check" page
with the description:"The requested resource (/j_security_check) is not available".
Is this a bug in the Tomcat 4 or is it a way to fix that problem.
My other problem is about that "Access to the requested resource has been denied"-page.
I want the user to be send to my error-page instead of that HTTP Status 403 -page. If I could
do that maybe my other problemn would be fixed also. Check my code:

login.jsp page

Login Page

<form method="POST" action='<%= response.encodeURL("j_security_check") %>' >

Username:

Password:

--------------------------------------------------------------------------------

error.jsp page

Error Page

Invalid username and/or password, please try
<a href='<%= response.encodeURL("login.jsp") %>'>again.

-------------------------------------------------------------------------------

me security site code:
<%
if (request.getParameter("logoff") != null) {

session.invalidate();

response.sendRedirect("article.jsp");

return;

}

<a href='<%= response.encodeURL("article.jsp?logoff=true")%>'>LOGOFF

--------------------------------------------------------------------------------
web.xml

<?xml version="1.0" encoding="ISO-8859-1"?>

<!DOCTYPE web-app
PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN"
"http://java.sun.com/dtd/web-app_2_3.dtd">

<web-app>

<security-constraint>
<display-name>Example Security Constraint</display-name>
<web-resource-collection>
<web-resource-name>Protected Area</web-resource-name>
<url-pattern>/transport/*</url-pattern>
<http-method>DELETE</http-method>
<http-method>GET</http-method>
<http-method>POST</http-method>
<http-method>PUT</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>trans</role-name>
<role-name>admin</role-name>
</auth-constraint>
</security-constraint>

<security-constraint>
<display-name>Example Security</display-name>
<web-resource-collection>
<web-resource-name>Protected</web-resource-name>
<url-pattern>/supplier/*</url-pattern>
<http-method>DELETE</http-method>
<http-method>GET</http-method>
<http-method>POST</http-method>
<http-method>PUT</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>supp</role-name>
<role-name>admin</role-name>
</auth-constraint>
</security-constraint>

<security-constraint>
<display-name>Example Security</display-name>
<web-resource-collection>
<web-resource-name>Protected</web-resource-name>
<url-pattern>/customer/*</url-pattern>
<http-method>DELETE</http-method>
<http-method>GET</http-method>
<http-method>POST</http-method>
<http-method>PUT</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>cust</role-name>
<role-name>admin</role-name>
</auth-constraint>
</security-constraint>

<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/login.jsp</form-login-page>
<form-error-page>/error.jsp</form-error-page>
</form-login-config>
</login-config>

</web-app>

It would be so great if someone could help me

1. Re: Problems with j_security_check using Tomcat 4.

s98dance Nov 24, 2001 5:56 PM (in response to s98dance)

just an elucidation:
this code
<%if (request.getParameter("logoff") != null) {
session.invalidate();
response.sendRedirect("article.jsp");
return;
}
<a href='<%= response.encodeUR("article.jsplogoff=true")%>'>LOGOFF
are some of the code from on of my secured pages namely article.jsp
Actions
2. Re: Problems with j_security_check using Tomcat 4.

alphafoo Nov 25, 2001 11:33 PM (in response to s98dance)

If you get an answer I'd love to hear it--- I seem to be having the same problem with FORM based authentication (using 2.4.3/Tomcat4.0). I have no idea how to proceed from here.
Actions
3. Re: Problems with j_security_check using Tomcat 4.

svaret Jun 11, 2003 5:59 PM (in response to s98dance)

Hi,

I don't know if this is the same problem (using JBoss 3.2.1 only, i.e. not Tomcat but the built-in servlet container, don't think that it's important in this case though.

What happens with FORM based authentication is that the action of the login form has to be j_security_check. So, if the client before anything else goes directly to the login page (with the j_security_check action) then the container has no idea where to go from there. But, if accessing a protected page first the container do have the context, the protected page.

In my web application, I wanted the user to see page with the login fields first of all, before going to any secured page.

I found a work-around that works.

1) My welcome file is named index.jsp and has an automatic redirect to the page to which I want the user to see after a succesful login. Since that page is located in a secured area the client will be thrown to the page which I defined as the login page in my security definition in the web.xml file.

2) The user gets the welcome page with the login fields and after a succesful login he gets to see the page that originally the index.jsp in my document root redirected to.

/pages is a secured area within my web app.

The files. web.xml is only parts of it:

/index.jsp
<% response.sendRedirect("pages/inside.html"); %>

/WEB-INF/web.xml

<welcome-file-list>
<welcome-file>/index.jsp</welcome-file>
</welcome-file-list>

<security-constraint>
<web-resource-collection>
<web-resource-name>Admin pages</web-resource-name>
<url-pattern>/pages/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>admin</role-name>
</auth-constraint>
</security-constraint>

<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/Logon.html</form-login-page>
<form-error-page>/LogonError.html</form-error-page>
</form-login-config>
</login-config>

<security-role>
<role-name>admin</role-name>
</security-role>

/Logon.html

Username:
Password:

-------------------------------------------------------------

Hope it helps... and is there another way of doing this better I'd be glad to know.

Best regards

Lasse
Actions
4. Re: Problems with j_security_check using Tomcat 4.

svaret Jun 11, 2003 7:35 PM (in response to s98dance)

Oops, saw that this threads last post is some 1 1/2 years old. Well well..
Actions
5. Re: Problems with j_security_check using Tomcat 4.

pgmjsd Jun 13, 2003 8:43 AM (in response to s98dance)

> What happens with FORM based authentication is
> that the action of the login form has to be
> j_security_check. So, if the client before anything
> else goes directly to the login page (with the
> j_security_check action) then the container has no
> idea where to go from there. But, if accessing a
> protected page first the container do have the
> context, the protected page.

That's the best explanation I've heard to date. So, basically you are saying that the login page (specified by the login-page tag in web.xml) should not be forwarded to or referenced directly by any other page in the system. This makes sense becuase how else would the web container know where tgo after a successful login? It's annoying that the 'j_security_check' action (a Servlet?) doesn't show some type of warning or error.
Actions
6. Re: Problems with j_security_check using Tomcat 4.

svaret Jun 14, 2003 8:23 AM (in response to s98dance)

That's right. Don't reference the login page before you have a context, which is achieved by trying to access a secured page.

It would also be convenient if it was possible to pass a parameter to j_security_check which would tell the container where to go next, i.e. after a successful login.

Regards

Lasse
Actions
7. Re: Problems with j_security_check using Tomcat 4.

mv Jun 18, 2003 11:39 AM (in response to s98dance)

I've done exactly the workaround that you describe, however it seems to have another problem. If someone bookmarks the login page (which is very common), everything works fine when they login using the bookmark. I'm not sure why it works and finds a context when the client uses the bookmark, but it does. Something gets remembered from the session cookie.

However, when the application gets redeployed or jboss is restarted, the login stops working. In fact jboss can get very confused. The only way I can unconfuse it is to manually point my client to a secure page. Pointing to index.jsp, which is supposed to redirect to a secure page, doesn't work!

Has anybody seen this or have any answers?
Actions

Go to original post