Form based authentication giving 400 error - strange behavior
Sorry for the long explanation but this is a tricky problem that has me stumped. I hope someone else has experienced this. We are having a strange problem with FORM based authentication that we can't figure out. It seems to be an issue with the tomcat org.apache.catalina.authenticator.FormAuthenticator class. Can you please pass this on to your tech team to find a solution? Use Case #1: Works fine. . Type in protected resource into browser URL bar. Click enter key. ( http://mysite.com/app/mypage.jsp ) . We are redirected to the login page. Enter username, password. Hit enter. . We are taken to the original URL that we requested. Use Case #2: Fails all the time . Visit a user's profile page. (profile.jsp). This is an unprotected resource so you can view without loging in: ( http:// http://%20mysite.com/app/Profile.jsp?name=ROCK mysite.com/app/Profile.jsp?name=ROCK ) . Click on any action link or button on the page. These are all disabled in not logged in mode. A dialog pop-up asks the user if they want to login. . Using javascript a protected resource URL is generated and then (window.location.href = newAddress ) is set to the protected resource string: (http://www.mysite.com/app/a.lookup?name=ROCK ). This URL is mapped to a secured servlet. . The login page is presented to the user with the http://www.mysite.com/app/a.lookup?name=ROCK URL showing in the browser url bar. . Enter user/pass and click login - This generates a 400 error with message: Invalid direct reference to form login page. This URL is now displayed in the URL bar: http://www.mysite.com/app/j_security_check HTTP Status 400 - Invalid direct reference to form login page _ type Status report message Invalid direct reference to form login page description The request sent by the client was syntactically incorrect (Invalid direct reference to form login page). _ Apache Tomcat/5.5.20 Use Case #2 Extended: Here is the real weird behavior. . After following all the steps in Use Case #2, type in http://mysite.com/app/mypage.jsp on the 400 error page and hit enter. . You are redirected back to the login page. Make sure username and password are empty. Hit enter again. . The control page NOW loads. The first login in user case #2 worked, but it didn't perform the redirect properly. After adding these to log4j.xml I can see the problem from the log file, but am not sure what is causing it. category name=org.apache.catalina.authenticator priority value=DEBUG/ /category category name=org.jboss.security.auth.spi priority value=DEBUG/ /category Here is the log output for case 1: Note the blue line, this is key in showing why case 2 is failing: 11:00:01,783 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Calling authenticate() 11:00:01,783 INFO [STDOUT] 11:00:01,783 INFO [com.mysite.web.MysiteSessionContextListener] sessionCreated(): Starting 11:00:01,783 INFO [STDOUT] 11:00:01,783 INFO [com.mysite.web.MysiteSessionContextListener] sessionCreated(): Starting 11:00:01,783 INFO [STDOUT] 11:00:01,783 INFO [com.mysite.web.MysiteSessionContextListener] sessionCreated(): Ending 11:00:01,783 INFO [STDOUT] 11:00:01,783 INFO [com.mysite.web.MysiteSessionContextListener] sessionCreated(): Ending 11:00:01,783 DEBUG [org.apache.catalina.authenticator.FormAuthenticator] Save request in session '9C4BD2BD9D4E092A3B2CB56B39FC81FD' 11:00:01,783 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Failed authenticate() test 11:00:01,955 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Security checking request GET /mysite/captcha 11:00:01,955 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Not subject to any constraint 11:00:08,939 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Security checking request POST /mysite/j_security_check 11:00:08,939 DEBUG [org.apache.catalina.authenticator.FormAuthenticator] Authenticating username 'qq' 11:00:08,939 DEBUG [org.apache.catalina.authenticator.FormAuthenticator] Authentication of 'qq' was successful 11:00:08,939 DEBUG [org.apache.catalina.authenticator.FormAuthenticator] Redirecting to original '/mysite/' 11:00:08,939 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Failed authenticate() test ??/mysite/j_security_check 11:00:08,955 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Security checking request GET /mysite/ 11:00:08,955 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Calling hasUserDataPermission() 11:00:08,955 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Calling authenticate() 11:00:08,955 DEBUG [org.apache.catalina.authenticator.FormAuthenticator] Restore request from session '9C4BD2BD9D4E092A3B2CB56B39FC81FD' 11:00:08,955 DEBUG
RE: Log files always locked
I use tomcat and jboss on windows. I have installed cygwin Unix shell for windows and put all the commands in my PATH env variable. Then I can run: tail -f log.out This continuously shows me the log file as it gets updated. -Steve -Original Message- From: Fargusson.Alan [mailto:[EMAIL PROTECTED] Sent: Wednesday, May 02, 2007 3:54 PM To: Tomcat Users List Subject: RE: Log files always locked I think this is a Windows issue. I doubt that Tomcat actually locks the log files. The reason I think that this is a Windows issue is that I run into the same thing with other programs. I don't run Tomcat on Windows, so I can't check Tomcat log files specifically. I think that this behavior depends on the type of filesystem used. In my case it seems that if a file is on a FAT filesystem I have this problem, but if it is on a NTFS filesystem I don't. I have not been able to prove this though. -Original Message- From: Johnny Kewl [mailto:[EMAIL PROTECTED] Sent: Wednesday, May 02, 2007 11:34 AM To: Tomcat Users List Subject: Log files always locked Just something that bugs me. On windows if you try open a tomcat log file... which are typically associated with something like notepad, you get In Use By Another Program. Why does Tomcat lock the file handle indefinitely? It maybe good programming practice but windows utilities generally dont give one the option of will open as read only... its always a mission just to read a log file. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: User-password from the HttpServletRequest
I use form based authentication backed by a Database Realm. After the user logs in I can get the user info on top of every JSP page with this code snippet. % Principal principle = (Principal)request.getUserPrincipal(); User loggedInUser = JSPUtils.loadUser(session, principle.getName()); // fetches user from database, name is unique. loggedInUser.getPassword(); loggedInUser.getLastAccessDate(); loggedInUser.isAdmin(); loggedInUser.getEmail(); etc. % User is my own custom object created with Hibernate mapped to the user table. However this object can be created by straight sql/JDBC also. My code also stores the User object in the session so that it is only loaded from the database once. This way I don't have to do anything fancy to get all the info I need on a User, straight database calls. Cheers, -Steve Rock eCirkit.com -Original Message- From: Johnny Kewl [mailto:[EMAIL PROTECTED] Sent: Wednesday, May 02, 2007 4:06 PM To: Tomcat Users List Subject: Re: User-password from the HttpServletRequest JDBC I guess... Maybe the difficulty is an indication that its not the right way to go... For example if a user ever has to change their password... data is lost, or a huge procedure. Think about this... maybe its a good idea. Remember that if you see the user name in a page it means they authenticated. So if the user gets to the code they had to come through the locked door... And if the user is going to get the data back through the browser... this will probably work. Invent a secret code A4H%BIGSECRETYtffguTetc etc. Then HASH that say using MD5 with the User name That becomes your password and you lock and unlock the data with that. Not terrific cryptography... but it will work and users can change their passwords... Could add some salt to that like the documents name. Maybe good luck - Original Message - From: [EMAIL PROTECTED] To: Tomcat Users List users@tomcat.apache.org Sent: Wednesday, May 02, 2007 9:06 PM Subject: Re: User-password from the HttpServletRequest Im using a DataSource Realm. Hmm but from where can I access the credentials? Original-Nachricht Datum: Wed, 02 May 2007 20:00:04 +0100 Von: Pid [EMAIL PROTECTED] An: Tomcat Users List users@tomcat.apache.org Betreff: Re: User-password from the HttpServletRequest [EMAIL PROTECTED] wrote: Do you mean during the login process, or after it has been done? I mean after the user has been logged in (form based login). Have you an example how I can receive the password from the HttpServletRequest? You can't access the credential from HttpServletRequest object, it's not made available as part of the Servlet spec. Which realm implementation are you using? p greets Original-Nachricht Datum: Wed, 02 May 2007 13:31:49 -0400 Von: Christopher Schultz [EMAIL PROTECTED] An: Tomcat Users List users@tomcat.apache.org Betreff: Re: User-password from the HttpServletRequest -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Sam, [EMAIL PROTECTED] wrote: How can I get the password from the logged in user via the HttpServletRequest in general? (I need the password in a servlet filter to do some stuff) Do you mean during the login process, or after it has been done? Unless you can get a request object during the login process, you will only be able to get the user's password when using BASIC authentication (not FORM). You'll need to get the Authorization header from the request and decode it to get the user's credentials. You can read all about HTTP auth in RFC 2617 (http://www.faqs.org/rfcs/rfc2617.html) to determine how to interpret the data found there. And there some web server independent solution? I assume that you mean /application server/-independent solution. Yes, all (compliant) Java application servers support the servlet API. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGOMsF9CaO5/Lv0PARAlIvAKChwWOlitX82IddFCuhseB/yVQKdgCgpwAN IUy2xRS5++zOtJm/Zvfd31s= =HvYe -END PGP SIGNATURE- - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- Feel free - 10 GB Mailbox, 100 FreeSMS/Monat ... Jetzt GMX TopMail testen: http://www.gmx.net/de/go/topmail - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: