-
1. Re: Users bookmarking login.jsp causes problems
ragavgomatam Aug 7, 2008 8:50 PM (in response to kathy90031)Hi
We ran into a similar problem before & if I remember correct, secure the<url-pattern>
in your web.xml properly. The url that you put inside this tag is crucial. In our old struts based application our web.xml went like this :-<welcome-file-list> <welcome-file>jsp/welcome.jsp</welcome-file> </welcome-file-list> <error-page> <error-code>500</error-code> <location>/jsp/error.jsp</location> </error-page> <security-constraint> <web-resource-collection> <web-resource-name>SecurePages</webresource-name> <description> Security constraint testing using custom Jaas Module </description> <url-pattern>*.do</url-pattern> <http-method>POST</http-method> <http-method>GET</http-method> </web-resource-collection>
So basically anything that goes to Struts Action Servlet is protected. Plus Users are not exposed to the jsp's directly. Even if they book-mark a page, they are redirected to welcome page -
2. Re: Users bookmarking login.jsp causes problems
kathy90031 Aug 8, 2008 8:20 AM (in response to kathy90031)Yes, our URL pattern is the same, but I'm not sure you were understanding me correctly. Our pages ARE secure.
If someone bookmarks http://localhost/WebApp/index.jsp
then they are directed to the login page, after they login in (and are authenticated, they are directed to the home page.
If some booksmarks http://localhost/WebApp/login.jsp
they login in and recieve a BAD REQUEST error EVEN THOUGH they are authenticated. In fact, if they try to go to index.jsp DIRECTLY from the bad request page; they get in.
I looked at the jboss source code and saw what was happening. Jboss looks up the request to forward to. Since the users are coming from login.jsp; this variable returns NULL. Therefore, Jboss throws the bad request error.
Is there a workaround I can configure instead of code? -
3. Re: Users bookmarking login.jsp causes problems
ragavgomatam Aug 8, 2008 8:54 PM (in response to kathy90031)If some booksmarks http://localhost/WebApp/login.jsp
they login in and recieve a BAD REQUEST error EVEN THOUGH they are authenticated. In fact, if they try to go to index.jsp DIRECTLY from the bad request page; they get in.
Just wondering..Is it possible to avoid showing the urlhttp://localhost/WebApp/login.jsp
by indirection ? -
4. Re: Users bookmarking login.jsp causes problems
jkva Aug 9, 2008 8:16 AM (in response to kathy90031)"kathy90031" wrote:
Yes, our URL pattern is the same, but I'm not sure you were understanding me correctly. Our pages ARE secure.
If someone bookmarks http://localhost/WebApp/index.jsp
then they are directed to the login page, after they login in (and are authenticated, they are directed to the home page.
If some booksmarks http://localhost/WebApp/login.jsp
they login in and recieve a BAD REQUEST error EVEN THOUGH they are authenticated. In fact, if they try to go to index.jsp DIRECTLY from the bad request page; they get in.
I looked at the jboss source code and saw what was happening. Jboss looks up the request to forward to. Since the users are coming from login.jsp; this variable returns NULL. Therefore, Jboss throws the bad request error.
Is there a workaround I can configure instead of code?
You could try creating a valve to check if the user browses directly to the login page or if he uses the normal navigation. If he does, redirect him to a secure page. The j_security_check wil trigger and redirect the user to the login page.
A valve can be compared with a Servlet filter, but it runs outside the application and has access to otherwise forbidden resources, like Tomcat classes.
More here:
http://tomcat.apache.org/tomcat-6.0-doc/config/valve.html