0 Replies Latest reply on May 20, 2003 3:41 PM by spencerk

    Security Changes from 3.0.3 to 3.0.7

    spencerk Newbie

      I wrote a custom LoginModule for 3.0.3-Tomcat 4.1.12 according to the docs that's part of the subscription from what was flashline.com. It worked fine in 3.0.3, but when we upgraded to 3.0.7-Tomcat 4.1.24 it broke.

      The custom LoginModule takes in the username and password as provided by a form login (j_username/j_password), encrypts the password and compares the pair to an entry in our LDAP server. The custom LoginModule is a subclass of AbstractServerLoginModule, which doesn't look like it changes much between version, aside from the addition of a variable "loginOK" which needs to get set in the login() method.

      The problem that occurs is this, if you fail to login correctly, ir rolls through all the login-module entries in the login-config.xml file and kicks you over to a 403 page saying the requested resource is denied, instead of kicking the user over to the <login-form-error> page that's specified in the web.xml file. Even if you call the <login-form-error> directly and try to authenticate, no LoginModule gets called.

      Any ideas? Is anything unclear? I've been looking this over for a couple of weeks but to no avail. Like I said, this worked in 3.0.3-Tomcat 4.1.12, but not in 3.0.7-Tomcat 4.1.24.

      Thanks for any and all help.