1 Reply Latest reply on Jun 23, 2002 3:36 PM by Kevin Seal

    "Invalid direct reference to form login page" under JBoss 3.

    Kevin Seal Newbie

      I'm attempting to port a working LoginModule from 2.4.4 to 3.0.0 RC1 and have hit upon this rather spurious problem.

      Basically a protected web resource is correctly redirecting to the form-based login page but, upon submission, I get the following message:
      HTTP 400: Invalid direct reference to form login page

      Here are various snippets relating to the login method:

      web.xml:
      [pre]
      <login-config>
      <auth-method>FORM</auth-method>
      <form-login-config>
      <form-login-page>/util/login.jsp</form-login-page>
      <form-error-page>/util/login-error.jsp</form-error-page>
      </form-login-config>
      </login-config>

      <security-constraint>
      <web-resource-collection>
      <web-resource-name>adminPages</web-resource-name>
      Pages visible only to administrators
      <url-pattern>/admin/*</url-pattern>
      <http-method>GET</http-method>
      <http-method>POST</http-method>
      </web-resource-collection>
      <auth-constraint>
      <role-name>admin</role-name>
      </auth-constraint>
      <user-data-constraint>
      <transport-guarantee>NONE</transport-guarantee>
      </user-data-constraint>
      </security-constraint>
      [/pre]

      /util/login.jsp:
      [pre]

      Username:
      Password:


      [/pre]

      I've seen a similar posting on this forum that suggested encoding the form action as follows:
      [pre]<%= response.encodeURL("j_security_check") %>[/pre]
      This seems to result in some progress as I don't get an error back. However, the login page is shown to the user again after a successful submission (ad infinitum).
      My login module reports that it is finding the user and that the user has the correct roles for the site so I'm a bit stumped as to why this isn't working on 3.0.0RC1.

      Has anyone got any ideas?!
      Thanks in advance.

        • 1. Re: "Invalid direct reference to form login page" under JBos
          Kevin Seal Newbie

          Further fiddling has got this to the point where it now shows the login page three times, each time with a different jsessionid in the URL. Eventually it will let me proceed to the restricted web resource!
          I'm not sure what's causing this problem - the jsessionid in the URL matches that in the form action:
          [pre]
          localhost:8080/util/login.jsp;jsessionid=6C7D75D52B3DDC91F4F54A3E436B6525
          ...

          [/pre]
          Yet I'm getting a new jsessionid the next time round!

          Any ideas?!