Hi Paul,
Paul wrote:
When I start Tomcat, I get the error below. Entering address (http://server1:8080/myapp/home.htm) in my web browser works the way I want (i.e., security is by-passed and the home page is displayed). However, when I enter http://server1:8080/myapp/login.htm"; in the web browser and try to login, the web browser URL is changed to "http://server1:8080/myapp/j_security_check"; and the error is "HTTP Status 400 - Invalid direct reference to form login page". Did I make a mistake in the steps above or did I leave something out?
Nope your setup looks correct. Thing is users are not suppose to access the login.htm page directly. The way the Servlet Security is suppose to be used is you secure resources declaratively in your web.xml. When you want to access one of these secure pages say /secure/stats.htm, the servlet container notices you are not authenticated and it forwards you to the url defined in <login-config><form-login-page>, in this case login.htm. It is worth noting that the address bar in your browser never contains the url '/login.htm'.
If the login is successful the servlet container will redirect you to your end real destination -> /secure/stats.htm.
However if you access the login.htm page directly by typing it into the address bar, the servlet container does not know what your destination is. So after you successfully login Tomcat display '/j_security_check' which is not a valid address.
In our apps clients normally end up at a landing page after they login. So we normally have a link somewhere which says "Login" but that link really points to the landing page which is secure. If clients click the link they are challenged with the login.htm page, after which they are directed to landing-page.htm.
It seems the new Servlet 3.0 spec will address this issue to some extent as new #login and #logout API are provided. Thus we won't need special j_security_check form.
********** Error when starting Tomcat *********************** [Click] [info ] initialized in debug mode Oct 30, 2008 10:15:05 AM org.apache.catalina.session.StandardManager doLoad SEVERE: IOException while loading persisted sessions: java.io.InvalidClassExcept ion: com.mycompany.myapp.page.HomePage; unable to create instance java.io.InvalidClassException: com.mycompany.myapp.page.HomePage; unable to create instance at java.io.ObjectInputStream.readOrdinaryObject(ObjectInputStream.java:1739) at java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1329) at java.io.ObjectInputStream.readObject(ObjectInputStream.java:351) at org.apache.catalina.session.StandardSession.readObject (StandardSession.java:1439) ...
The above exception is not related to login but rather to the session which was persisted after Tomcat shutdown. Upon restart Tomcat tries to recreate the previous sessions but cannot instantiate the HomePage class. I think this is because your HomePage does not implement Serializable?
Btw how did your HomePage end up in the session? Did you set HomePage to stateful or did you manually add it to the session?
kind regards bob
