1 Reply Latest reply on May 10, 2002 2:08 PM by Jim

    Security problem within jboss+tomcat - still stuck

    Jim Newbie


      I am currently trying to design a webapp using opensource containers which implement the latest specs. This means tomcat403(for servlets2.3 and jsp1.2) and jboss300(for ejb2.0).

      During an upgrade to both of the containers implementing these specs, I experience an anomally which has to do with the servlet container not remembering an authenticated user unless he has requested a secured web resource (i.e. the request method getUserPrincipal() returns null when he has requested an unsecured web resource). I am using form-based authentication aka j_security_check - without calling any ejbs. I'm using the DatabaseServerLoginModule.

      At the moment the highest I can go before I lose either spec is the following:

      jb241a+tc323 = ok!
      jb243+tc40 = ok!
      jb244+tc323 = ok!

      jb244+tc40 = bad! (using the same tc40 as above!);
      jb245+tc40 = bad! (using the same tc40 as above!);

      jb243+tc401 = starts up ok but I didn't get far enough to test (get http status 403 - access to requested resource denied when accessing a secured resource);
      jb243+tc403 = (same as above)
      jb244+tc331 = (didn't get far enough to test)
      jb244+tc324 = (couldn't test due to classpath problem I have yet to resolve - only in this bundle, tho');

      I've spent ages on this trial and error approach (I have posted other similar messages - and not only on this forum. struts-user and tomcat-user) but I'm still really stuck with this - I want to proceed using servlets2.3 and jsp1.2 but not at the expense of ejb2.0 and vice versa.

      Please could someone let me know whether this is a jboss problem (I have asked again on the tomcat-user forum). I heard on the struts mailing list that this problem is occurring on someone's websphere containers too so that could be a real spanner.

      Also I noticed that the form-based auth tc valve is only being called for secured resources(in the 'bad' versions) - does anyone know if this is intentional?

      I know this message may be a little loaded but any feedback on this will be massively appreciated.


      (should this go to jboss-dev, perhaps?)