Re: Tomcat 6.x security-constraint redirection problem... please help!
Christopher Schultz wrote: Pid, Pid wrote: There's a couple of things that may be confusing the config below, which have some simple corrections. I usually place login.jsp and error.jsp in WEB-INF/login/, where they are protected from unwanted attention by default - this avoids the need to protect them with a security-contstraint. Agreed. I've found that when using Tomcat to serve static content, these things tend to happen. The reason is that Tomcat saves the first unauthorized request and then repeats it after successful authentication. If the last request was for something like a CSS file (say, because the CSS file was protected, but the main page wasn't), then you'll end up being served the CSS file after login. It can be very disorienting. Tomcat returns the *first* file you requested inside the secured area after authentication is completed. So for some reason your browser is requesting a script or CSS file before the JSP page. For some reason, I thought it was the most recent request it saved. First makes more sense; thanks for mentioning it. I have an app with a page which contains a flash object (displays a nice graph) that calls a groovy script periodically to get data. If the user session times out in between requests for the script then when it's requested it's the first one after de-auth, so it becomes the target that is re-established after re-login, (obviously not useful for users). I've been attempting to stop the periodic request by monitoring the session period, but haven't had time to properly address it yet. :( p -chris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat 6.x security-constraint redirection problem... please help!
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Pid, Pid wrote: I have an app with a page which contains a flash object (displays a nice graph) that calls a groovy script periodically to get data. If the user session times out in between requests for the script then when it's requested it's the first one after de-auth, so it becomes the target that is re-established after re-login, (obviously not useful for users). I have a part of my application served by Cocoon which calls-back the real application to get XML data. What I've done is put the XML-generating URLs into an unprotected space. These servlets (Struts actions, actually) do their own (mild) checking to see if the user is authenticated and authorized before returning the data. Otherwise, they return appropriate XML-formatted data that says no credentials. Here's where things would be different for you and me, because I use securityfilter. I simply show a login page directly from Cocoon, make the action=j_security_check and set a special forward_to URL parameter that tells securityfilter to redirect the user back to the page they originally requested (tricky, eh?). In your case, you could redirect the user to some other page (like a trampoline page), Tomcat would demand credentials in the meantime, and then the trampoline would send the user back to your page with the flash movie. Would that work for you? - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAklwsooACgkQ9CaO5/Lv0PB1tACgiB5j2sIWXOU+kpMzYAqkOr+V ny4AoJmlQVdeBOM8wtiGh0YFC8030M1F =zKqx -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: [OT] Tomcat 6.x security-constraint redirection problem... please help!
Christopher Schultz wrote: Pid, Pid wrote: I have an app with a page which contains a flash object (displays a nice graph) that calls a groovy script periodically to get data. If the user session times out in between requests for the script then when it's requested it's the first one after de-auth, so it becomes the target that is re-established after re-login, (obviously not useful for users). I have a part of my application served by Cocoon which calls-back the real application to get XML data. What I've done is put the XML-generating URLs into an unprotected space. These servlets (Struts actions, actually) do their own (mild) checking to see if the user is authenticated and authorized before returning the data. Otherwise, they return appropriate XML-formatted data that says no credentials. Here's where things would be different for you and me, because I use securityfilter. I simply show a login page directly from Cocoon, make the action=j_security_check and set a special forward_to URL parameter that tells securityfilter to redirect the user back to the page they originally requested (tricky, eh?). In your case, you could redirect the user to some other page (like a trampoline page), Tomcat would demand credentials in the meantime, and then the trampoline would send the user back to your page with the flash movie. Would that work for you? It may indeed. It's worth a try anyway - thanks - as my attempts to inform Javascript/Flash of the session expiry time are producing unfortunately uneven results. p -chris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat 6.x security-constraint redirection problem... please help!
samsina wrote: See inline... Pid-2 wrote: Martin Gainty wrote: please display non-proprietary attributes of HTTPS (Port 8443 or 443) Connector element values from %TOMCAT_HOME%/conf/server.xml OP: Don't attempt to decipher or respond to the above, it's a red herring. You could instead tell us exactly which 6.x you are using and on which OS. I am running in Red Hat 3.4.6-2 There's a couple of things that may be confusing the config below, which have some simple corrections. I usually place login.jsp and error.jsp in WEB-INF/login/, where they are protected from unwanted attention by default - this avoids the need to protect them with a security-contstraint. You are also protecting index.jsp - which will force a login when the apps homepage is accessed, is this what you intended? Yes Are you logging out programmatically, using the servlet method request.getSession().invalidate(), or are you just clearing cookies? I invalid the session programmatically... correct. Your primary problem sounds like you have placed some CSS or script files somewhere in a protected directory and the browser is requesting them without providing the correct authentication credentials. Tomcat returns the *first* file you requested inside the secured area after authentication is completed. So for some reason your browser is requesting a script or CSS file before the JSP page. Are the script and CSS files in an unprotected directory? youa re absolutly correct, basically the senario is like this: basically the page is including link rel=stylesheet type=text/css href=/app1/resources-folder/style.css / So the browser should apply the style to the page, but instead it outputs the actual file to the broweser. So it should the style.css from the jsp file. This scenario happens when i try to add url-pattern in security constraint in web.xml (basically adding that module patterns as i described in first post. Otherwise, it works fine. The most simple solution here is to move the CSS files to an unprotected directory. p p Disclaimer and confidentiality note Everything in this e-mail and any attachments relates to the official business of Sender. This transmission is of a confidential nature and Sender does not endorse distribution to any party other than intended recipient. Sender does not necessarily endorse content contained within this transmission. Date: Tue, 13 Jan 2009 17:03:08 -0800 From: sams...@gmail.com To: users@tomcat.apache.org Subject: Tomcat 6.x security-constraint redirection problem... please help! I have defined two roles (admin, user) security-role role-nameuser/role-name /security-role security-role role-nameadministrator/role-name /security-role each of these roles needs to access into separate modules in my webapp. For achieving this, I have the following security-constraint in tomcat web.xml: security-constraint web-resource-collection web-resource-nameAuthorized Access Area/web-resource-name url-pattern/index.jsp/url-pattern url-pattern/login.jsp/url-pattern url-pattern/error.jsp/url-pattern url-pattern/app1/*/url-pattern url-pattern*.jsp/url-pattern /web-resource-collection auth-constraint role-nameuser/role-name /auth-constraint /security-constraint security-constraint web-resource-collection web-resource-nameAuthorized Access Area/web-resource-name url-pattern/index.jsp/url-pattern url-pattern/login.jsp/url-pattern url-pattern/error.jsp/url-pattern url-pattern/app2/*/url-pattern /web-resource-collection auth-constraint role-nameadministrator/role-name /auth-constraint /security-constraint consider the following steps: 1. Access context/app1/app1action.jsp URL 2. I get prompted for credentials 3. I login as normal user, and on successful login I get redirected to app1action.jsp page (desired behavior) 4. Now, I clear my cache sessions authentication from browser (firefox) 4. Browse into some link in app1action.jsp page pointing to some other page eg. context/app1/anotherpage.jsp 5. Now I get prompted to relogin 6. On successful login, I expect myself to get redirected to 'anotherpage.jsp'. But instead it redirects me to the resources ( JS / img / css ) that are included with in 'anotherpage.jsp' . eg. context/resources/sample.js or sample.css or sample.gif I spent googling on this issue for couple of days with no luck. Can you please advise how to get properly redirected ? ~ Many Thanks -- View this message in context: http://www.nabble.com/Tomcat-6.x-security-constraint-redirection-problem...-please-help%21-tp21448079p21448079.html Sent from the Tomcat - User mailing list archive
Re: Tomcat 6.x security-constraint redirection problem... please help!
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Pid, Pid wrote: There's a couple of things that may be confusing the config below, which have some simple corrections. I usually place login.jsp and error.jsp in WEB-INF/login/, where they are protected from unwanted attention by default - this avoids the need to protect them with a security-contstraint. Agreed. I've found that when using Tomcat to serve static content, these things tend to happen. The reason is that Tomcat saves the first unauthorized request and then repeats it after successful authentication. If the last request was for something like a CSS file (say, because the CSS file was protected, but the main page wasn't), then you'll end up being served the CSS file after login. It can be very disorienting. Tomcat returns the *first* file you requested inside the secured area after authentication is completed. So for some reason your browser is requesting a script or CSS file before the JSP page. For some reason, I thought it was the most recent request it saved. First makes more sense; thanks for mentioning it. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAklvbiIACgkQ9CaO5/Lv0PBdKQCgqKaDVR9sarPRcpT2aPPFzGDB uVUAn0mqIjX9MPIGGMtIFQPQ8grFyA5z =DsGP -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat 6.x security-constraint redirection problem... please help!
Chris, On Thu, Jan 15, 2009 at 6:10 PM, Christopher Schultz ch...@christopherschultz.net wrote: Tomcat returns the *first* file you requested inside the secured area after authentication is completed. So for some reason your browser is requesting a script or CSS file before the JSP page. For some reason, I thought it was the most recent request it saved. First makes more sense; thanks for mentioning it. as I wrote in some other post, I've developed a valve handling this issue: You'll be able to configure the URI which is called after successful login, meaning the recent request will be dropped. Due to some workload on my desk here, it will take some more day until the source of that valve is going to be posted as a Tomcat RFE in the bug-database. Once I've managed to put it there, I'll let the list know about it. Gregor -- just because your paranoid, doesn't mean they're not after you... gpgp-fp: 79A84FA526807026795E4209D3B3FE028B3170B2 gpgp-key available @ http://pgpkeys.pca.dfn.de:11371 - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat 6.x security-constraint redirection problem... please help!
Martin Gainty wrote: please display non-proprietary attributes of HTTPS (Port 8443 or 443) Connector element values from %TOMCAT_HOME%/conf/server.xml OP: Don't attempt to decipher or respond to the above, it's a red herring. You could instead tell us exactly which 6.x you are using and on which OS. There's a couple of things that may be confusing the config below, which have some simple corrections. I usually place login.jsp and error.jsp in WEB-INF/login/, where they are protected from unwanted attention by default - this avoids the need to protect them with a security-contstraint. You are also protecting index.jsp - which will force a login when the apps homepage is accessed, is this what you intended? Are you logging out programmatically, using the servlet method request.getSession().invalidate(), or are you just clearing cookies? Your primary problem sounds like you have placed some CSS or script files somewhere in a protected directory and the browser is requesting them without providing the correct authentication credentials. Tomcat returns the *first* file you requested inside the secured area after authentication is completed. So for some reason your browser is requesting a script or CSS file before the JSP page. Are the script and CSS files in an unprotected directory? p Disclaimer and confidentiality note Everything in this e-mail and any attachments relates to the official business of Sender. This transmission is of a confidential nature and Sender does not endorse distribution to any party other than intended recipient. Sender does not necessarily endorse content contained within this transmission. Date: Tue, 13 Jan 2009 17:03:08 -0800 From: sams...@gmail.com To: users@tomcat.apache.org Subject: Tomcat 6.x security-constraint redirection problem... please help! I have defined two roles (admin, user) security-role role-nameuser/role-name /security-role security-role role-nameadministrator/role-name /security-role each of these roles needs to access into separate modules in my webapp. For achieving this, I have the following security-constraint in tomcat web.xml: security-constraint web-resource-collection web-resource-nameAuthorized Access Area/web-resource-name url-pattern/index.jsp/url-pattern url-pattern/login.jsp/url-pattern url-pattern/error.jsp/url-pattern url-pattern/app1/*/url-pattern url-pattern*.jsp/url-pattern /web-resource-collection auth-constraint role-nameuser/role-name /auth-constraint /security-constraint security-constraint web-resource-collection web-resource-nameAuthorized Access Area/web-resource-name url-pattern/index.jsp/url-pattern url-pattern/login.jsp/url-pattern url-pattern/error.jsp/url-pattern url-pattern/app2/*/url-pattern /web-resource-collection auth-constraint role-nameadministrator/role-name /auth-constraint /security-constraint consider the following steps: 1. Access context/app1/app1action.jsp URL 2. I get prompted for credentials 3. I login as normal user, and on successful login I get redirected to app1action.jsp page (desired behavior) 4. Now, I clear my cache sessions authentication from browser (firefox) 4. Browse into some link in app1action.jsp page pointing to some other page eg. context/app1/anotherpage.jsp 5. Now I get prompted to relogin 6. On successful login, I expect myself to get redirected to 'anotherpage.jsp'. But instead it redirects me to the resources ( JS / img / css ) that are included with in 'anotherpage.jsp' . eg. context/resources/sample.js or sample.css or sample.gif I spent googling on this issue for couple of days with no luck. Can you please advise how to get properly redirected ? ~ Many Thanks -- View this message in context: http://www.nabble.com/Tomcat-6.x-security-constraint-redirection-problem...-please-help%21-tp21448079p21448079.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org _ Windows Liveā¢: Keep your life in sync. http://windowslive.com/explore?ocid=TXT_TAGLM_WL_t1_allup_explore_012009 - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat 6.x security-constraint redirection problem... please help!
See inline... Pid-2 wrote: Martin Gainty wrote: please display non-proprietary attributes of HTTPS (Port 8443 or 443) Connector element values from %TOMCAT_HOME%/conf/server.xml OP: Don't attempt to decipher or respond to the above, it's a red herring. You could instead tell us exactly which 6.x you are using and on which OS. I am running in Red Hat 3.4.6-2 There's a couple of things that may be confusing the config below, which have some simple corrections. I usually place login.jsp and error.jsp in WEB-INF/login/, where they are protected from unwanted attention by default - this avoids the need to protect them with a security-contstraint. You are also protecting index.jsp - which will force a login when the apps homepage is accessed, is this what you intended? Yes Are you logging out programmatically, using the servlet method request.getSession().invalidate(), or are you just clearing cookies? I invalid the session programmatically... correct. Your primary problem sounds like you have placed some CSS or script files somewhere in a protected directory and the browser is requesting them without providing the correct authentication credentials. Tomcat returns the *first* file you requested inside the secured area after authentication is completed. So for some reason your browser is requesting a script or CSS file before the JSP page. Are the script and CSS files in an unprotected directory? youa re absolutly correct, basically the senario is like this: basically the page is including link rel=stylesheet type=text/css href=/app1/resources-folder/style.css / So the browser should apply the style to the page, but instead it outputs the actual file to the broweser. So it should the style.css from the jsp file. This scenario happens when i try to add url-pattern in security constraint in web.xml (basically adding that module patterns as i described in first post. Otherwise, it works fine. p Disclaimer and confidentiality note Everything in this e-mail and any attachments relates to the official business of Sender. This transmission is of a confidential nature and Sender does not endorse distribution to any party other than intended recipient. Sender does not necessarily endorse content contained within this transmission. Date: Tue, 13 Jan 2009 17:03:08 -0800 From: sams...@gmail.com To: users@tomcat.apache.org Subject: Tomcat 6.x security-constraint redirection problem... please help! I have defined two roles (admin, user) security-role role-nameuser/role-name /security-role security-role role-nameadministrator/role-name /security-role each of these roles needs to access into separate modules in my webapp. For achieving this, I have the following security-constraint in tomcat web.xml: security-constraint web-resource-collection web-resource-nameAuthorized Access Area/web-resource-name url-pattern/index.jsp/url-pattern url-pattern/login.jsp/url-pattern url-pattern/error.jsp/url-pattern url-pattern/app1/*/url-pattern url-pattern*.jsp/url-pattern /web-resource-collection auth-constraint role-nameuser/role-name /auth-constraint /security-constraint security-constraint web-resource-collection web-resource-nameAuthorized Access Area/web-resource-name url-pattern/index.jsp/url-pattern url-pattern/login.jsp/url-pattern url-pattern/error.jsp/url-pattern url-pattern/app2/*/url-pattern /web-resource-collection auth-constraint role-nameadministrator/role-name /auth-constraint /security-constraint consider the following steps: 1. Access context/app1/app1action.jsp URL 2. I get prompted for credentials 3. I login as normal user, and on successful login I get redirected to app1action.jsp page (desired behavior) 4. Now, I clear my cache sessions authentication from browser (firefox) 4. Browse into some link in app1action.jsp page pointing to some other page eg. context/app1/anotherpage.jsp 5. Now I get prompted to relogin 6. On successful login, I expect myself to get redirected to 'anotherpage.jsp'. But instead it redirects me to the resources ( JS / img / css ) that are included with in 'anotherpage.jsp' . eg. context/resources/sample.js or sample.css or sample.gif I spent googling on this issue for couple of days with no luck. Can you please advise how to get properly redirected ? ~ Many Thanks -- View this message in context: http://www.nabble.com/Tomcat-6.x-security-constraint-redirection-problem...-please-help%21-tp21448079p21448079.html Sent from the Tomcat - User mailing list archive at Nabble.com
Tomcat 6.x security-constraint redirection problem... please help!
I have defined two roles (admin, user) security-role role-nameuser/role-name /security-role security-role role-nameadministrator/role-name /security-role each of these roles needs to access into separate modules in my webapp. For achieving this, I have the following security-constraint in tomcat web.xml: security-constraint web-resource-collection web-resource-nameAuthorized Access Area/web-resource-name url-pattern/index.jsp/url-pattern url-pattern/login.jsp/url-pattern url-pattern/error.jsp/url-pattern url-pattern/app1/*/url-pattern url-pattern*.jsp/url-pattern /web-resource-collection auth-constraint role-nameuser/role-name /auth-constraint /security-constraint security-constraint web-resource-collection web-resource-nameAuthorized Access Area/web-resource-name url-pattern/index.jsp/url-pattern url-pattern/login.jsp/url-pattern url-pattern/error.jsp/url-pattern url-pattern/app2/*/url-pattern /web-resource-collection auth-constraint role-nameadministrator/role-name /auth-constraint /security-constraint consider the following steps: 1. Access context/app1/app1action.jsp URL 2. I get prompted for credentials 3. I login as normal user, and on successful login I get redirected to app1action.jsp page (desired behavior) 4. Now, I clear my cache sessions authentication from browser (firefox) 4. Browse into some link in app1action.jsp page pointing to some other page eg. context/app1/anotherpage.jsp 5. Now I get prompted to relogin 6. On successful login, I expect myself to get redirected to 'anotherpage.jsp'. But instead it redirects me to the resources ( JS / img / css ) that are included with in 'anotherpage.jsp' . eg. context/resources/sample.js or sample.css or sample.gif I spent googling on this issue for couple of days with no luck. Can you please advise how to get properly redirected ? ~ Many Thanks -- View this message in context: http://www.nabble.com/Tomcat-6.x-security-constraint-redirection-problem...-please-help%21-tp21448079p21448079.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org