I found these problems at the beginning as well. I think it could be addressed after 1.5 release. This maven archetype (http://www.avoka.com/jira/browse/CLKMVN-2) can be used as sample.
Gilberto On Thu, Oct 30, 2008 at 3:15 PM, Bob Schellink <[EMAIL PROTECTED]> wrote: > Hi Paul, > > > Paul wrote: >> >> When I start Tomcat, I get the error below. Entering address >> (http://server1:8080/myapp/home.htm) in my web browser works the way I >> want >> (i.e., security is by-passed and the home page is displayed). However, >> when I >> enter http://server1:8080/myapp/login.htm"; in the web browser and try to >> login, >> the web browser URL is changed to >> "http://server1:8080/myapp/j_security_check"; >> and the error is "HTTP Status 400 - Invalid direct reference to form login >> page". Did I make a mistake in the steps above or did I leave something >> out? > > > Nope your setup looks correct. Thing is users are not suppose to access the > login.htm page directly. The way the Servlet Security is suppose to be used > is you secure resources declaratively in your web.xml. When you want to > access one of these secure pages say /secure/stats.htm, the servlet > container notices you are not authenticated and it forwards you to the url > defined in <login-config><form-login-page>, in this case login.htm. It is > worth noting that the address bar in your browser never contains the url > '/login.htm'. > > If the login is successful the servlet container will redirect you to your > end real destination -> /secure/stats.htm. > > However if you access the login.htm page directly by typing it into the > address bar, the servlet container does not know what your destination is. > So after you successfully login Tomcat display '/j_security_check' which is > not a valid address. > > In our apps clients normally end up at a landing page after they login. So > we normally have a link somewhere which says "Login" but that link really > points to the landing page which is secure. If clients click the link they > are challenged with the login.htm page, after which they are directed to > landing-page.htm. > > It seems the new Servlet 3.0 spec will address this issue to some extent as > new #login and #logout API are provided. Thus we won't need special > j_security_check form. > > >> >> ********** Error when starting Tomcat *********************** >> [Click] [info ] initialized in debug mode >> Oct 30, 2008 10:15:05 AM org.apache.catalina.session.StandardManager >> doLoad >> SEVERE: IOException while loading persisted sessions: >> java.io.InvalidClassExcept >> ion: com.mycompany.myapp.page.HomePage; unable to create instance >> java.io.InvalidClassException: com.mycompany.myapp.page.HomePage; unable >> to >> create instance >> at >> java.io.ObjectInputStream.readOrdinaryObject(ObjectInputStream.java:1739) >> at java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1329) >> at java.io.ObjectInputStream.readObject(ObjectInputStream.java:351) >> at org.apache.catalina.session.StandardSession.readObject >> (StandardSession.java:1439) ... > > > The above exception is not related to login but rather to the session which > was persisted after Tomcat shutdown. Upon restart Tomcat tries to recreate > the previous sessions but cannot instantiate the HomePage class. I think > this is because your HomePage does not implement Serializable? > > Btw how did your HomePage end up in the session? Did you set HomePage to > stateful or did you manually add it to the session? > > kind regards > > bob > >
