Hi, In article <[EMAIL PROTECTED]>, Tue, 8 Jun 2004 09:35:31 +0200, [EMAIL PROTECTED] wrote: Anton_Grimm> When I run our suite against WebSphere 5.1.0.4 the tests using Anton_Grimm> FormAuthentication fail reporting Anton_Grimm> Anton_Grimm> "Failed to authenticate the principal." [snip] Anton_Grimm> ### WebSphere ### Anton_Grimm> Anton_Grimm> getCookie(theConnection, theTarget) - Header: null:HTTP/1.1 302 Found Anton_Grimm> getCookie(theConnection, theTarget) - Header: Date:Tue, 08 Jun 2004 Anton_Grimm> 06:24:12 GMT Anton_Grimm> getCookie(theConnection, theTarget) - Header: Anton_Grimm> Server:IBM_HTTP_Server/2.0.47-PQ84017 Apache/2.0.47 (Unix) DAV/2 Anton_Grimm> getCookie(theConnection, theTarget) - Header: Anton_Grimm> Set-Cookie:WASReqURL=http://mmwasint.mn-man.biz:8085/mandeploymantwebapp/ServletRedirectorSecure?;Path=/ Anton_Grimm> getCookie(theConnection, theTarget) - Header: Anton_Grimm> Cache-Control:no-cache="set-cookie,set-cookie2" Anton_Grimm> getCookie(theConnection, theTarget) - Header: Expires:Thu, 01 Dec 1994 Anton_Grimm> 16:00:00 GMT Anton_Grimm> getCookie(theConnection, theTarget) - Header: Anton_Grimm> Location:http://mmwasint.mn-man.biz:8085/mandeploymantwebapp/jsp/LoginForm.jsp Anton_Grimm> getCookie(theConnection, theTarget) - Header: Content-Length:0 Anton_Grimm> getCookie(theConnection, theTarget) - Header: Content-Type:text/html; Anton_Grimm> charset=ISO-8859-1 Anton_Grimm> getCookie(theConnection, theTarget) - Header: Content-Language:en-US [snip] Anton_Grimm> Anyway, when I request the Url (against WebSphere) Anton_Grimm> http://hostname:port/context/ServletRedirectoSecure? Anton_Grimm> I get forwarded to the login-page. Anton_Grimm> Anton_Grimm> Before submitting the Login-Page I request Anton_Grimm> javascript:alert(document.cookie) Anton_Grimm> and I get two cookies (WASReqURL and JSESSIONID).
WebSphere may set a Set-Cookie header for JSESSIONID in the response for the login-page, which will not be accessed by FormAuthentication implementation. Could you trace HTTP messages for the following sequence by using packet cature tool? (1) C->S request the URL http://hostname:port/context/ServletRedirectoSecure? (2) S->C 302 response (3) C->S request the login-page (4) S->C 200 response with login-page (5) C->S request j_security_check with username, password and JSESSIONID Current implementation of the FormAuthentication class is assuming that a Set-Cookie header for JSESSIONID exists in a response at (2). Then, the FormAuthentication class does not perform (3)-(4), but perfoms (5) immediately. However, it's possible for AP server to start session tracking from the first login-page request (3), and for that case, AP server may send the Set-Cookie header for JSESSIONID at (4). Regards, ---- Kazuhito SUGURI mailto:[EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
