RE: Wrong file served after JDBC Realm authentication

[Ariel Valentin]

Pierre,
I experienced a similar problem when using form based authentication and 
secured all requests (/*)
from web.xml
 <security-constraint>
   <web-resource-collection>
     <web-resource-name>My Webapp</web-resource-name>
     <url-pattern>/*</url-pattern>
   </web-resource-collection>
   <auth-constraint>
     <role-name>user</role-name>
   </auth-constraint>
 </security-constraint>

As a work around I placed all my images and css in a folder that did not 
require authentication.

Hope that helps.
Mr. Ariel S. Valentin
mailto: [EMAIL PROTECTED]


From: Pierre Sarrazin <[EMAIL PROTECTED]>
Reply-To: "Tomcat Users List" <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Subject: Wrong file served after JDBC Realm authentication
Date: Wed, 16 Jun 2004 23:19:09 -0400
I am trying to use the JDBC realm in my Tomcat web application and
it mostly works, but after logging into the application, Tomcat
sends the application's style.css file to my browser...
I am using Tomcat 5.0.16 on a Fedora Core 2 system.  I have configured
the JDBC realm this way in conf/server.xml:
<Realm  className="org.apache.catalina.realm.JDBCRealm" debug="99"
       driverName="com.mysql.jdbc.Driver"
    connectionURL="jdbc:mysql://localhost/authority"
   connectionName="(REMOVED)" connectionPassword="(REMOVED)"
        userTable="users" userNameCol="user_name" userCredCol="user_pass"
    userRoleTable="user_roles" roleNameCol="role_name" />
In my application's web/WEB-INF/web.xml file, there is this:
    <welcome-file-list>
        <welcome-file>index.jsp</welcome-file>
    </welcome-file-list>
    <security-constraint>
        <web-resource-collection>
            <web-resource-name>Document Munger</web-resource-name>
            <url-pattern>/*</url-pattern>
        </web-resource-collection>
        <auth-constraint>
            <role-name>docmungerUser</role-name>
        </auth-constraint>
    </security-constraint>
    <login-config>
       <auth-method>FORM</auth-method>
       <realm-name>Document Munger</realm-name>
       <form-login-config>
          <form-login-page>/login.jsp</form-login-page>
          <form-error-page>/login-error.jsp</form-error-page>
       </form-login-config>
    </login-config>
    <security-role>
        <description>
            This role includes all users who are allowed to use
            (but not administer) the service.
        </description>
        <role-name>docmungerUser</role-name>
    </security-role>
The web/login.jsp file contains this:
    <%@ include file="header.inc" %>
    <FORM METHOD="POST" ACTION="j_security_check">
            Username:<BR>
            <INPUT TYPE="text" NAME="j_username"><BR>
            Password:<BR>
            <INPUT TYPE="password" NAME="j_password"><BR>
            <INPUT TYPE="submit" VALUE="Log in">
    </FORM>
    <%@ include file="footer.inc" %>
The web/header.inc file contains this:
    <HTML>
    <HEAD>
    <LINK REL="StyleSheet" HREF="style.css" TYPE="text/css">
    <TITLE><%= siteTitle %></TITLE>
    <META http-equiv="Content-Type" content="text/html; charset=UTF-8">
    </HEAD>
    <BODY>
This is where the "style.css" filename comes from.  There is indeed
a web/style.css file.
In the MySQL server, there is a "users" table that contains this:
    +-----------+-----------+
    | user_name | user_pass |
    +-----------+-----------+
    | george    | (REMOVED) |
    +-----------+-----------+
There is also a "user_roles" table:
    +-----------+---------------+
    | user_name | role_name     |
    +-----------+---------------+
    | george    | docmungerUser |
    +-----------+---------------+
I use ant to install the application, then I send my browser (Galeon
1.3) to <http://localhost:8080/docmunger/>.  The login form appears.
I enter "george" and the password, and click "Log in".  Then my
browser displays the style.css file...  The location field of the
browser now shows <http://localhost:8080/docmunger/style.css>.
The catalina_log.2004-06-16.txt file says "Username george
successfully authenticated".
If I now ask my browser to go to <http://localhost:8080/docmunger/>
again, then I finally reach the real front page of the application
(index.jsp).
If I remove the <LINK> line from web/header.inc and reload the
application, then the problem disappears: I don't see style.css
and I reach index.jsp right after logging in.
I restarted Tomcat just before retrying this entire scenario.
I also see nothing suspicious appear in the logs.
I'm puzzled.  What could cause this behavior, and how does Tomcat
decide to send style.css?
--
Pierre Sarrazin <sarrazip at sympatico dot ca>
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
_________________________________________________________________
Get fast, reliable Internet access with MSN 9 Dial-up – now 3 months FREE! 
http://join.msn.click-url.com/go/onm00200361ave/direct/01/

---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]