You've probably got it fixed by now but... I think all you need to do is add this before executing the post: authPost.setFollowRedirects(true);
As memory serves, I think it only follows up to a set maximum number of redirects (in an attempt to prevent infinite loops). It's been a while since I dug around the HttpClient code so I can't remember if that value is configurable.
HTH,
Jon
Chris Ward wrote:
Tomcat-Users (Cc:Matt/Adam),
I've just tried doing a redirect to j_security_check using the commons package "org.apache.commons.httpclient".
The error I get from the code is
[INFO] HttpMethodBase - -Redirect requested but followRedirects is disabled statusCode : 302
Any clues given my code below (which is more than a bit similar to Matt's ;o) )
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - -
static private final String authURL = "j_security_check";
<snip>
HttpClient client = new HttpClient(); client.getHostConfiguration().setHost(
request.getServerName(),
request.getServerPort(),
request.getScheme()
);
PostMethod authPost = new PostMethod( request.getContextPath() +
"/" + authURL );
NameValuePair user = new NameValuePair( "j_username", username
);
NameValuePair pass = new NameValuePair( "j_password", password
);
authPost.setRequestBody( new NameValuePair[] { user, pass } );
client.executeMethod(authPost);
authPost.releaseConnection();
int statusCode = authPost.getStatusCode();
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - -
I'm think I've either got the authURL wrong or I need to do something in web.xml.
Any light cast on this would be great.
Many thanks as always, Chris
It's standard container managed security stuff - I first invoke a protected URL - in index.jsp - I redirect to mainMenu.do - and *.do is protected. Based on security constraints in web.xml, I'm presented with a form-login-page "login.jsp" - rather than having action="j_security_check" in this form, I have action="/security/authorize" - which is mapped to my own LoginServlet. In the LoginServlet, I encrypt the password (optionally based on an init-parameter), set some cookies and do an HTTP Post to j_security_check. Works on Tomcat 4-5 and Resin 3.x.
Matt
On Dec 3, 2003, at 4:21 PM, Adam Hardy wrote:
Matt,
are you really managing to post a form to j_security_check without
invoking it first, or is that some sort of black magic
you've cooked
up?
Or have I just misunderstood what Chris said?
Adam
On 12/03/2003 09:24 PM Matt Raible wrote:
Chris,
I found your post at
http://www.mail-archive.com/tomcat-user%40jakarta.apache.org/ msg111700.html and I'm cc'ing the list in case anyone else is interested in this info (I'm not subscribed).
I've actually improved the "Remember Me" feature a fair
amount since
I posted to the Tomcat User list. The sendRedirect
works, however,
it (in some browsers) puts the URL (with password) into
the address
bar. This isn't a big deal IMO since it's the user that
just logged
in and they don't mind seeing their own passwords.
However, the URL
tends to show up in server log files which can be a
security hole.
Because of this, I changed to using an HTTP Post with Jakarta Common's HttpClient. I also moved my form-login-page and form-error-page into a "security" folder and then set my
cookies for
the /appname/security path rather than / - this makes it so the user/pass cookies are more secure and can only be retrieved when logging in, rather than for any URL in the site.
That being said, I've updated one of my sample apps with these changes and you can download it if you'd like:
http://raibledesigns.com/wiki/Wiki.jsp?page=AppFuse
Here's my updated LoginServlet that does an Http Post instead of a Get:
http://tinyurl.com/xl80
HTH,
Matt
On Dec 3, 2003, at 12:52 PM, Chris Ward wrote:
Hi Matt,
Sorry for sending unsolicited email but I've been looking
at some of
your postings to Tomcat-User and wondered if I could ask
a couple of
questions. I've tried posting to list but had no response from anyone there.
Specifically, it's regarding your "remember me" login stuff. If this is a pain feel free to ignore this email.
Best regards Chris
p.s. My question the list was under the subject "servlet sendRedirect() to j_security_check problem"
-- struts 1.1 + tomcat 5.0.14 + java 1.4.2 Linux 2.4.20 RH9
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
