Session problem?JDBCRealm: Invalid direct reference to form login page

[Daniel Germain]

I'm trying to use the JDCBRealm from Tomcat 4.1.27 with an enhydra 5.0 
application servlet
and got the following problem Invalid direct reference to form login page
which seem to be related to the session management.

From what I understand, a session is first created (by enhydra SessionMgr)
when browsing unprotected page. Next a protected page is requested and we 
are
redirected to the login page but with a new session created by Tomcat 4.1.
The FormAuthenticator will save the initial request in this new session 
created by Tomcat 4.1.
The user is then properly authenticated but Tomcat try to retrieve the 
initial request
in the initial session created by Enhydra, and it is unable to access it, it 
creates
another session and say there is an Invalid direct reference to form login 
page.

REQUEST URI   =/enhydra/catalogue/Categories.htm
cookie=JSESSIONID=R3ubmDGE-O571edTbpty5Uu6

header=referer=http://localhost:8080/enhydra/AccueilGeneral.html
header=cookie=JSESSIONID=R3ubmDGE-O571edTbpty5Uu6
requestedSessionId=R3ubmDGE-O571edTbpty5Uu6
---
  Checking constraint 'SecurityConstraint[Protected Area]' against GET 
/catalogue/Categories.htm -- true
Save request in session 'C8BC7F93D9808C8C7532B3282C364B14'
Redirect to login page '/enhydra/NewLogin.html'
 Failed authenticate() test
---
cookie=JSESSIONID=C8BC7F93D9808C8C7532B3282C364B14; 
domain=null; path=/enhydra
header=Set-Cookie=JSESSIONID=C8BC7F93D9808C8C7532B3282C364B14; 
Path=/enhydra
header=Location=http://localhost:8080/enhydra/NewLogin.html
status=302
=
REQUEST URI   =/enhydra/NewLogin.html
cookie=JSESSIONID=R3ubmDGE-O571edTbpty5Uu6
cookie=JSESSIONID=C8BC7F93D9808C8C7532B3282C364B14

header=referer=http://localhost:8080/enhydra/AccueilGeneral.html
header=cookie=JSESSIONID=R3ubmDGE-O571edTbpty5Uu6; 
JSESSIONID=C8BC7F93D9808C8C7532B3282C364B14
requestedSessionId=R3ubmDGE-O571edTbpty5Uu6
---
  Checking constraint 'SecurityConstraint[Protected Area]' against GET 
/NewLogin.html -- false
 Mapped to servlet 'enhydra' with servlet path '' and path info 
'/NewLogin.html' and update=true
---
   contentType=text/html; charset=ISO-8859-1
status=200
=
REQUEST URI   =/enhydra/j_security_check
cookie=JSESSIONID=R3ubmDGE-O571edTbpty5Uu6
cookie=JSESSIONID=C8BC7F93D9808C8C7532B3282C364B14
header=referer=http://localhost:8080/enhydra/NewLogin.html
header=cookie=JSESSIONID=R3ubmDGE-O571edTbpty5Uu6; 
JSESSIONID=C8BC7F93D9808C8C7532B3282C364B14
requestedSessionId=R3ubmDGE-O571edTbpty5Uu6
---
Security checking request POST /enhydra/j_security_check
Authentication of 'dan' was successful
Redirecting to original 'null'
 Failed authenticate() test
---
cookie=JSESSIONID=91AD787C623278EF332FE2235EAB5451; 
domain=null; path=/enhydra
header=Set-Cookie=JSESSIONID=91AD787C623278EF332FE2235EAB5451; 
Path=/enhydra
   message=Référence directe à la form de connexion (form login 
page) invalide
remoteUser=null
status=400
=

_
Protect your PC - get McAfee.com VirusScan Online  
http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Invalid direct reference to form login page

[Christian J. Dechery - ACCENTURE]

Sometimes I get this error message... can someone give me a hint on the
probable causes??

___
:: Christian J. Dechery 
:: Accenture do Brasil 
:: CHT - Solutions Operations 
:: [EMAIL PROTECTED] 

 

RE: Invalid direct reference to form login page

[Abid Ali Teepo]

Usually you are interested in some secured resource, and you try to get it.
Because it's secured you will be redirected to a login-page, and after authenticating 
yourself you will be redirected to the requested resource.

If you go directly to the login-page, where will it redirect you when you are loged in 
?

This is the cause ...

Abid

-Original Message-
From: Christian J. Dechery - ACCENTURE
[mailto:[EMAIL PROTECTED]
Sent: 21. juli 2003 16:09
To: Tomcat Users List (E-mail)
Subject: Invalid direct reference to form login page


Sometimes I get this error message... can someone give me a hint on the
probable causes??

___
:: Christian J. Dechery 
:: Accenture do Brasil 
:: CHT - Solutions Operations 
:: [EMAIL PROTECTED] 

 

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

RES: Invalid direct reference to form login page

[Christian J. Dechery - ACCENTURE]

yeah... I figured that.

I have a logoff page, and it used to call the login in case the user wanted
the re-authenticate... now I just have to link to the index page instead of
the login page and everything works fine.

Thanks!

___
:: Christian J. Dechery
:: Accenture do Brasil
:: CHT - Solutions Operations
:: [EMAIL PROTECTED]


 -Mensagem original-
 De: Abid Ali Teepo [mailto:[EMAIL PROTECTED]
 Enviada em: segunda-feira, 21 de julho de 2003 11:22
 Para: Tomcat Users List
 Assunto: RE: Invalid direct reference to form login page
 
 
 
 Usually you are interested in some secured resource, and you 
 try to get it.
 Because it's secured you will be redirected to a login-page, 
 and after authenticating yourself you will be redirected to 
 the requested resource.
 
 If you go directly to the login-page, where will it redirect 
 you when you are loged in ?
 
 This is the cause ...
 
 Abid
 
 -Original Message-
 From: Christian J. Dechery - ACCENTURE
 [mailto:[EMAIL PROTECTED]
 Sent: 21. juli 2003 16:09
 To: Tomcat Users List (E-mail)
 Subject: Invalid direct reference to form login page
 
 
 Sometimes I get this error message... can someone give me a 
 hint on the
 probable causes??
 
 ___
 :: Christian J. Dechery 
 :: Accenture do Brasil 
 :: CHT - Solutions Operations 
 :: [EMAIL PROTECTED] 
 
  
 
 -
 To unsubscribe, e-mail: [EMAIL PROTECTED]
 For additional commands, e-mail: [EMAIL PROTECTED]
 

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

invalid direct reference to form login page...

[Brian Kuhn]

Hi all,

I've set up Tomcat (4.1.24) to do form based authentication.  Everything 
works great, except I've had to deal with a lot of users that type in the 
url I've given them, get redirected to the login page, and bookmark the 
login page before logging in.  Later, when they use the bookmark, they get 
sent to the login page, but get a Invalid direct reference to form login 
page... message once they log in.

I understand why this happens, but don't know what to do about it.  Is there 
a way to specify a default page to go to when the login page is requested 
directly?

Thanks,
 Brian Kuhn
 Telscape Communications



Brian Kuhn
[EMAIL PROTECTED]

_
The new MSN 8: smart spam protection and 2 months FREE*  
http://join.msn.com/?page=features/junkmail

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

RE: invalid direct reference to form login page...

[Stefan Radzom]

Your problem has just recently been discussed on this list. Ben Jessel
proposed a workaround which I attached below. Hopefully, this might work for
you.

Stefan


 -Original Message-
 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
 Sent: Friday, June 27, 2003 1:42 PM
 To: [EMAIL PROTECTED]
 Subject: Possible workaround for invalid direct reference to 
 login page
 
 
 Java Authentication with tomcat relies on realms. If you 
 access a page 
 protected by that realm you get directed to the login page.
 However, it is possible to go directly to the login page ( 
 this can happen 
 when users bookmark the login page inadvertantly ).
 
 This happens in two scenarios:
 
 1) The user is already logged in.
 2) The user is not logged in.
 
 If you authenticate yourself once you have gone directly to the login 
 page, you get a invalid direct reference error. Fair 
 enough, the login 
 page is trying to redirect to itself. Now, I tried to 
 workaround this by 
 checking if the session is null, and if it is, redirecting to some 
 protected page, eg. protected/index.jsp. No luck. It seems 
 that a session 
 is implicitly created, and a new session id gets created.
 
 So I've tried a cookie strategy:
 
 %
 if ( request.getCookies()==null ) {
 response.sendRedirect(//jsp/protected/index.jsp);
 }
 if ( request.getRemoteUser()!=null )
 {
 response.sendRedirect(/x/jsp/protected/index.jsp);
 }
 %
 
 i.e, we wont have a cookie if we've gone directly to the 
 login page. But 
 we will have if we've tried to access a protected page and 
 then we've been 
 forwarded to a login page, tomcat will give us a cookie.
 
 Now if we're already logged in ( which we check with 
 getRemoteUser() , 
 then we just forward to user to an index page. 
 
 This seems o.k. However my index page actually includes my 
 login page! I'm 
 planning to get around this with some logic that only 
 includes the login 
 page excerpt if we are not logged in..
 
 Ben
 


 -Original Message-
 From: Brian Kuhn [mailto:[EMAIL PROTECTED] 
 Sent: Sunday, June 29, 2003 1:16 AM
 To: [EMAIL PROTECTED]
 Subject: invalid direct reference to form login page...
 
 
 Hi all,
 
 I've set up Tomcat (4.1.24) to do form based authentication.  
 Everything 
 works great, except I've had to deal with a lot of users that 
 type in the 
 url I've given them, get redirected to the login page, and 
 bookmark the 
 login page before logging in.  Later, when they use the 
 bookmark, they get 
 sent to the login page, but get a Invalid direct reference 
 to form login 
 page... message once they log in.
 
 I understand why this happens, but don't know what to do 
 about it.  Is there 
 a way to specify a default page to go to when the login page 
 is requested 
 directly?
 
 Thanks,
   Brian Kuhn
   Telscape Communications
 
 
 
 
 
 Brian Kuhn
 [EMAIL PROTECTED]
 
 
 _
 The new MSN 8: smart spam protection and 2 months FREE*  
 http://join.msn.com/?page=features/junkmail
 
 
 -
 To unsubscribe, e-mail: [EMAIL PROTECTED]
 For additional commands, e-mail: [EMAIL PROTECTED]
 
 



-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Status 400 - Invalid direct reference to form login page

[Mike Duffy]

Status 400 - Invalid direct reference to form login page

The above error is generated when a user bookmarks the login page on
an application server where container managed security is used.

Does anyone have an elegant way of dealing with this error?

Putting a note on the login page saying, “Please don’t bookmark me.”
is obviously inelegant.

There does not seem to be a work around because j_security_check must
be called from the container.  All my attempts to call
j_security_check directly failed.  My attempts to create a filter
also failed because I could not find a differentiator in the request
between a “bad” call to the login page and a “good” call.

I could force entry through an intermediate page by creating an
error-page entry in the web.xml:

error-page
error-code400/error-code
locationintermediatePage.jsp/location
 /error-page

The intermediate page could have a link to a protected entry point
(from which the container would call the login page).  But, “Status
400” is a general bad request, not necessarily this specific bad
request.

Note:  If your location is a protected resource and you forward a
user to that location by creating an error-page reference in web-xml,
the user will get to the protected page, but not be authenticated. 
It seems that authentication is only invoked when it comes through a
browser not through a forward or redirect.

Actually, it seems that the only answer is to junk the container
managed security wired into Tomcat and use the SecurityFilter project
at SourceForge or write my own.

Any thoughts?


__
Do you Yahoo!?
Yahoo! Platinum - Watch CBS' NCAA March Madness, live on your desktop!
http://platinum.yahoo.com

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: Invalid direct reference to form login page

[David M. Karr]

 Lisa == Lisa van Gelder [EMAIL PROTECTED] writes:

Lisa Here is the bit of my web.xml file that deals with login. The whole of my
Lisa app should be protected.

Lisa My code never redirects, it leaves all the authentication up to tomcat.

Lisa   security-constraint
Lisa   web-resource-collection
Lisa   web-resource-nameMy
Lisa Application/web-resource-name
Lisa   url-pattern/*/url-pattern
Lisa   http-methodPOST/http-method
Lisa   http-methodGET/http-method
Lisa   /web-resource-collection
Lisa   auth-constraint
Lisa   role-namemyUser/role-name
Lisa   /auth-constraint
Lisa   /security-constraint
Lisa   login-config
Lisa   auth-methodFORM/auth-method
Lisa   form-login-config
Lisa   form-login-page/login/login.jsp/form-login-page

Lisa form-error-page/login/login-failure.jsp/form-error-page
Lisa   /form-login-config
Lisa   /login-config

I believe this might be due to the fact that you've declared the login
directory as part of the protected resource.  Try creating a subdirectory of
the application root where all the pages go, except for the login and error
pages, then specify that subdirectory as your protected resource.

-- 
===
David M. Karr  ; Java/J2EE/XML/Unix/C++
[EMAIL PROTECTED]


--
To unsubscribe, e-mail:   mailto:[EMAIL PROTECTED]
For additional commands, e-mail: mailto:[EMAIL PROTECTED]