Session problem?JDBCRealm: Invalid direct reference to form login page
I'm trying to use the JDCBRealm from Tomcat 4.1.27 with an enhydra 5.0 application servlet and got the following problem Invalid direct reference to form login page which seem to be related to the session management. From what I understand, a session is first created (by enhydra SessionMgr) when browsing unprotected page. Next a protected page is requested and we are redirected to the login page but with a new session created by Tomcat 4.1. The FormAuthenticator will save the initial request in this new session created by Tomcat 4.1. The user is then properly authenticated but Tomcat try to retrieve the initial request in the initial session created by Enhydra, and it is unable to access it, it creates another session and say there is an Invalid direct reference to form login page. REQUEST URI =/enhydra/catalogue/Categories.htm cookie=JSESSIONID=R3ubmDGE-O571edTbpty5Uu6 header=referer=http://localhost:8080/enhydra/AccueilGeneral.html header=cookie=JSESSIONID=R3ubmDGE-O571edTbpty5Uu6 requestedSessionId=R3ubmDGE-O571edTbpty5Uu6 --- Checking constraint 'SecurityConstraint[Protected Area]' against GET /catalogue/Categories.htm -- true Save request in session 'C8BC7F93D9808C8C7532B3282C364B14' Redirect to login page '/enhydra/NewLogin.html' Failed authenticate() test --- cookie=JSESSIONID=C8BC7F93D9808C8C7532B3282C364B14; domain=null; path=/enhydra header=Set-Cookie=JSESSIONID=C8BC7F93D9808C8C7532B3282C364B14; Path=/enhydra header=Location=http://localhost:8080/enhydra/NewLogin.html status=302 = REQUEST URI =/enhydra/NewLogin.html cookie=JSESSIONID=R3ubmDGE-O571edTbpty5Uu6 cookie=JSESSIONID=C8BC7F93D9808C8C7532B3282C364B14 header=referer=http://localhost:8080/enhydra/AccueilGeneral.html header=cookie=JSESSIONID=R3ubmDGE-O571edTbpty5Uu6; JSESSIONID=C8BC7F93D9808C8C7532B3282C364B14 requestedSessionId=R3ubmDGE-O571edTbpty5Uu6 --- Checking constraint 'SecurityConstraint[Protected Area]' against GET /NewLogin.html -- false Mapped to servlet 'enhydra' with servlet path '' and path info '/NewLogin.html' and update=true --- contentType=text/html; charset=ISO-8859-1 status=200 = REQUEST URI =/enhydra/j_security_check cookie=JSESSIONID=R3ubmDGE-O571edTbpty5Uu6 cookie=JSESSIONID=C8BC7F93D9808C8C7532B3282C364B14 header=referer=http://localhost:8080/enhydra/NewLogin.html header=cookie=JSESSIONID=R3ubmDGE-O571edTbpty5Uu6; JSESSIONID=C8BC7F93D9808C8C7532B3282C364B14 requestedSessionId=R3ubmDGE-O571edTbpty5Uu6 --- Security checking request POST /enhydra/j_security_check Authentication of 'dan' was successful Redirecting to original 'null' Failed authenticate() test --- cookie=JSESSIONID=91AD787C623278EF332FE2235EAB5451; domain=null; path=/enhydra header=Set-Cookie=JSESSIONID=91AD787C623278EF332FE2235EAB5451; Path=/enhydra message=Référence directe à la form de connexion (form login page) invalide remoteUser=null status=400 = _ Protect your PC - get McAfee.com VirusScan Online http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Invalid direct reference to form login page
Sometimes I get this error message... can someone give me a hint on the probable causes?? ___ :: Christian J. Dechery :: Accenture do Brasil :: CHT - Solutions Operations :: [EMAIL PROTECTED]
RE: Invalid direct reference to form login page
Usually you are interested in some secured resource, and you try to get it. Because it's secured you will be redirected to a login-page, and after authenticating yourself you will be redirected to the requested resource. If you go directly to the login-page, where will it redirect you when you are loged in ? This is the cause ... Abid -Original Message- From: Christian J. Dechery - ACCENTURE [mailto:[EMAIL PROTECTED] Sent: 21. juli 2003 16:09 To: Tomcat Users List (E-mail) Subject: Invalid direct reference to form login page Sometimes I get this error message... can someone give me a hint on the probable causes?? ___ :: Christian J. Dechery :: Accenture do Brasil :: CHT - Solutions Operations :: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RES: Invalid direct reference to form login page
yeah... I figured that. I have a logoff page, and it used to call the login in case the user wanted the re-authenticate... now I just have to link to the index page instead of the login page and everything works fine. Thanks! ___ :: Christian J. Dechery :: Accenture do Brasil :: CHT - Solutions Operations :: [EMAIL PROTECTED] -Mensagem original- De: Abid Ali Teepo [mailto:[EMAIL PROTECTED] Enviada em: segunda-feira, 21 de julho de 2003 11:22 Para: Tomcat Users List Assunto: RE: Invalid direct reference to form login page Usually you are interested in some secured resource, and you try to get it. Because it's secured you will be redirected to a login-page, and after authenticating yourself you will be redirected to the requested resource. If you go directly to the login-page, where will it redirect you when you are loged in ? This is the cause ... Abid -Original Message- From: Christian J. Dechery - ACCENTURE [mailto:[EMAIL PROTECTED] Sent: 21. juli 2003 16:09 To: Tomcat Users List (E-mail) Subject: Invalid direct reference to form login page Sometimes I get this error message... can someone give me a hint on the probable causes?? ___ :: Christian J. Dechery :: Accenture do Brasil :: CHT - Solutions Operations :: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
invalid direct reference to form login page...
Hi all, I've set up Tomcat (4.1.24) to do form based authentication. Everything works great, except I've had to deal with a lot of users that type in the url I've given them, get redirected to the login page, and bookmark the login page before logging in. Later, when they use the bookmark, they get sent to the login page, but get a Invalid direct reference to form login page... message once they log in. I understand why this happens, but don't know what to do about it. Is there a way to specify a default page to go to when the login page is requested directly? Thanks, Brian Kuhn Telscape Communications Brian Kuhn [EMAIL PROTECTED] _ The new MSN 8: smart spam protection and 2 months FREE* http://join.msn.com/?page=features/junkmail - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: invalid direct reference to form login page...
Your problem has just recently been discussed on this list. Ben Jessel proposed a workaround which I attached below. Hopefully, this might work for you. Stefan -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Friday, June 27, 2003 1:42 PM To: [EMAIL PROTECTED] Subject: Possible workaround for invalid direct reference to login page Java Authentication with tomcat relies on realms. If you access a page protected by that realm you get directed to the login page. However, it is possible to go directly to the login page ( this can happen when users bookmark the login page inadvertantly ). This happens in two scenarios: 1) The user is already logged in. 2) The user is not logged in. If you authenticate yourself once you have gone directly to the login page, you get a invalid direct reference error. Fair enough, the login page is trying to redirect to itself. Now, I tried to workaround this by checking if the session is null, and if it is, redirecting to some protected page, eg. protected/index.jsp. No luck. It seems that a session is implicitly created, and a new session id gets created. So I've tried a cookie strategy: % if ( request.getCookies()==null ) { response.sendRedirect(//jsp/protected/index.jsp); } if ( request.getRemoteUser()!=null ) { response.sendRedirect(/x/jsp/protected/index.jsp); } % i.e, we wont have a cookie if we've gone directly to the login page. But we will have if we've tried to access a protected page and then we've been forwarded to a login page, tomcat will give us a cookie. Now if we're already logged in ( which we check with getRemoteUser() , then we just forward to user to an index page. This seems o.k. However my index page actually includes my login page! I'm planning to get around this with some logic that only includes the login page excerpt if we are not logged in.. Ben -Original Message- From: Brian Kuhn [mailto:[EMAIL PROTECTED] Sent: Sunday, June 29, 2003 1:16 AM To: [EMAIL PROTECTED] Subject: invalid direct reference to form login page... Hi all, I've set up Tomcat (4.1.24) to do form based authentication. Everything works great, except I've had to deal with a lot of users that type in the url I've given them, get redirected to the login page, and bookmark the login page before logging in. Later, when they use the bookmark, they get sent to the login page, but get a Invalid direct reference to form login page... message once they log in. I understand why this happens, but don't know what to do about it. Is there a way to specify a default page to go to when the login page is requested directly? Thanks, Brian Kuhn Telscape Communications Brian Kuhn [EMAIL PROTECTED] _ The new MSN 8: smart spam protection and 2 months FREE* http://join.msn.com/?page=features/junkmail - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Status 400 - Invalid direct reference to form login page
Status 400 - Invalid direct reference to form login page The above error is generated when a user bookmarks the login page on an application server where container managed security is used. Does anyone have an elegant way of dealing with this error? Putting a note on the login page saying, Please dont bookmark me. is obviously inelegant. There does not seem to be a work around because j_security_check must be called from the container. All my attempts to call j_security_check directly failed. My attempts to create a filter also failed because I could not find a differentiator in the request between a bad call to the login page and a good call. I could force entry through an intermediate page by creating an error-page entry in the web.xml: error-page error-code400/error-code locationintermediatePage.jsp/location /error-page The intermediate page could have a link to a protected entry point (from which the container would call the login page). But, Status 400 is a general bad request, not necessarily this specific bad request. Note: If your location is a protected resource and you forward a user to that location by creating an error-page reference in web-xml, the user will get to the protected page, but not be authenticated. It seems that authentication is only invoked when it comes through a browser not through a forward or redirect. Actually, it seems that the only answer is to junk the container managed security wired into Tomcat and use the SecurityFilter project at SourceForge or write my own. Any thoughts? __ Do you Yahoo!? Yahoo! Platinum - Watch CBS' NCAA March Madness, live on your desktop! http://platinum.yahoo.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Invalid direct reference to form login page
Lisa == Lisa van Gelder [EMAIL PROTECTED] writes: Lisa Here is the bit of my web.xml file that deals with login. The whole of my Lisa app should be protected. Lisa My code never redirects, it leaves all the authentication up to tomcat. Lisa security-constraint Lisa web-resource-collection Lisa web-resource-nameMy Lisa Application/web-resource-name Lisa url-pattern/*/url-pattern Lisa http-methodPOST/http-method Lisa http-methodGET/http-method Lisa /web-resource-collection Lisa auth-constraint Lisa role-namemyUser/role-name Lisa /auth-constraint Lisa /security-constraint Lisa login-config Lisa auth-methodFORM/auth-method Lisa form-login-config Lisa form-login-page/login/login.jsp/form-login-page Lisa form-error-page/login/login-failure.jsp/form-error-page Lisa /form-login-config Lisa /login-config I believe this might be due to the fact that you've declared the login directory as part of the protected resource. Try creating a subdirectory of the application root where all the pages go, except for the login and error pages, then specify that subdirectory as your protected resource. -- === David M. Karr ; Java/J2EE/XML/Unix/C++ [EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]