Re: Form-based security
what happen if you load tour error page using the address bar? can you see it? Isn't a path matter? regards, Omar On Wed, 19 Jan 2005 00:06:20 -0500, Venkat Radha Venkataramanan [EMAIL PROTECTED] wrote: Hello: I just wrote my first form-based security control. It works fine if I sign with a user id that plays the permitted role. But when I enter a user id that does not play the permitted role, instead of getting my customized error page, autherr.html, I get a generic 403 error. Can somebody tell me what I am doing wrong? Thanks. Venkat Web.xml section: security-constraint web-resource-collection web-resource-nameMyFirst/web-resource-name description accessible by authenticated users of the tomcat role/description url-pattern/*/url-pattern http-methodGET/http-method http-methodPOST/http-method http-methodPUT/http-method http-methodDELETE/http-method /web-resource-collection auth-constraint descriptionThese roles are allowed access/description role-nametomcat/role-name /auth-constraint /security-constraint login-config auth-methodFORM/auth-method realm-nameMyFirst Protected Area/realm-name form-login-config form-login-page/login.html/form-login-page form-error-page/autherr.html/form-error-page /form-login-config /login-config security-role descriptionOnly 'tomcat' role is allowed to access this web application/description role-nametomcat/role-name /security-role - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- Adobati Omar [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Form-based security
Omar! Aha! Even the autherr.html page seems to be protected by the form-based security. When I try to open autherr.html by the url, http://127.0.0.1:8080/MyFirst/autherr.html, I get the login page! How would I unprotect it? Thanks. -Original Message- From: Omar Adobati [mailto:[EMAIL PROTECTED] Sent: Wednesday, January 19, 2005 3:31 AM To: Tomcat Users List Subject: Re: Form-based security what happen if you load tour error page using the address bar? can you see it? Isn't a path matter? regards, Omar On Wed, 19 Jan 2005 00:06:20 -0500, Venkat Radha Venkataramanan [EMAIL PROTECTED] wrote: Hello: I just wrote my first form-based security control. It works fine if I sign with a user id that plays the permitted role. But when I enter a user id that does not play the permitted role, instead of getting my customized error page, autherr.html, I get a generic 403 error. Can somebody tell me what I am doing wrong? Thanks. Venkat Web.xml section: security-constraint web-resource-collection web-resource-nameMyFirst/web-resource-name description accessible by authenticated users of the tomcat role/description url-pattern/*/url-pattern http-methodGET/http-method http-methodPOST/http-method http-methodPUT/http-method http-methodDELETE/http-method /web-resource-collection auth-constraint descriptionThese roles are allowed access/description role-nametomcat/role-name /auth-constraint /security-constraint login-config auth-methodFORM/auth-method realm-nameMyFirst Protected Area/realm-name form-login-config form-login-page/login.html/form-login-page form-error-page/autherr.html/form-error-page /form-login-config /login-config security-role descriptionOnly 'tomcat' role is allowed to access this web application/description role-nametomcat/role-name /security-role - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- Adobati Omar [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Form based security and Remember Me
Here's how I've done it - First of all, I don't use j_security_check as my action, but rather auth/ which maps to a LoginServlet. That servlet does some other things, but here's the relevant code. The StringUtil.encodeString(password) method changes to cookie to be base64 encrypted. Not a very good encryption, but better than nothing. LoginServlet.java = String username = request.getParameter(j_username).toLowerCase(); String password = request.getParameter(j_password); if (request.getParameter(rememberMe) != null) { response = RequestUtil.setCookie(response, rememberMe, true, false); response = RequestUtil.setCookie(response, password, StringUtil.encodeString(password), false); } String req = j_security_check?j_username= + RequestUtils.encodeURL(username) + j_password= + RequestUtils.encodeURL(password); response.sendRedirect(response.encodeRedirectURL(req)); Then I have a filter mapped to /* and it has the following code: Cookie rememberMe = RequestUtil.getCookie(request, rememberMe); Cookie passCookie = RequestUtil.getCookie(request, password); String password = (passCookie != null) ? URLDecoder.decode(passCookie.getValue(), UTF-8) : null; // form-error-page/login.jsp?error=true/form-error-page boolean authFailed = StringUtils.equals(request.getParameter(error), true); // check to see if the user is logging out, if so, remove the // rememberMe cookie and password Cookie if ((request.getRequestURL().indexOf(logout) != -1) || authFailed) { if (log.isDebugEnabled()) { log.debug(deleting rememberMe-related cookies); } response = RequestUtil.deleteCookie(response, RequestUtil.getCookie(request, rememberMe)); response = RequestUtil.deleteCookie(response, passCookie); } if ((request.getRequestURL().indexOf(login) != -1) !authFailed) { // Check to see if we should automatically login the user // container is routing user to login page, check for remember me cookie Cookie userCookie = RequestUtil.getCookie(request, username); String username = (passCookie != null) ? URLDecoder.decode(userCookie.getValue(), UTF-8) : null; if ((rememberMe != null) (password != null)) { // authenticate user without displaying login page String route = j_security_check?j_username= + username + j_password= + StringUtil.decodeString(password); if (log.isDebugEnabled()) { log.debug(I remember you ' + username + ', attempting authentication...); } response.sendRedirect(response.encodeRedirectURL(route)); return; } } chain.doFilter(req, resp); This has been working great for me, but I've only tested it on Tomcat. HTH, Matt -Original Message- From: John Trollinger [mailto:[EMAIL PROTECTED]] Sent: Thursday, February 20, 2003 1:12 PM To: [EMAIL PROTECTED] Subject: Form based security and Remember Me I seached the archive and only saw one message pertaining to this. Is anyone doing this at all? And if so how? Thanks, John - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Form based security and Remember Me
Howdy, I'm not doing this, and I'm one of those people who cleans their cache every time their browser is closed (12Ghosts auto wash is among the greatest tools I've ever seen for any computing purpose, ever), so Remember Me functionality doesn't typically work for me, but... Is anyone doing this at all? And if so how? Assuming remember me is a checkbox, e.g. input type=checkbox name=rememberUserRemember Me/input Then something like: String rememberUserString = request.getParameter(rememeberUser); if((rememebrUserString != null) (rememeberUserString.equalsIgnoreCase(true)) { // Create cookie Cookie userInfoCookie = new Cookie(...); response.addCookie(userInfoCookie); } Then other pages in the app attempt to retrieve the cookie (using request.getCookies() and iterating through the cookies. You can retrieve the information in a fairly cross-browser, server-independent way. You can also set attributes in the session (HttpSession.setAttribute(myUserName, username) or whatever) or do it in many other ways. Yoav Shapira Millennium ChemInformatics This e-mail, including any attachments, is a confidential business communication, and may contain information that is confidential, proprietary and/or privileged. This e-mail is intended only for the individual(s) to whom it is addressed, and may not be saved, copied, printed, disclosed or used by anyone else. If you are not the(an) intended recipient, please immediately delete this e-mail from your computer system and notify the sender. Thank you. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Form based security and Remember Me
But does this work with Form based authenticaiton and realms... How do you let the realm know that the user remembered so the login can be bypassed? John -Original Message- From: Shapira, Yoav [mailto:[EMAIL PROTECTED]] Sent: Thursday, February 20, 2003 3:23 PM To: Tomcat Users List Subject: RE: Form based security and Remember Me Howdy, I'm not doing this, and I'm one of those people who cleans their cache every time their browser is closed (12Ghosts auto wash is among the greatest tools I've ever seen for any computing purpose, ever), so Remember Me functionality doesn't typically work for me, but... Is anyone doing this at all? And if so how? Assuming remember me is a checkbox, e.g. input type=checkbox name=rememberUserRemember Me/input Then something like: String rememberUserString = request.getParameter(rememeberUser); if((rememebrUserString != null) (rememeberUserString.equalsIgnoreCase(true)) { // Create cookie Cookie userInfoCookie = new Cookie(...); response.addCookie(userInfoCookie); } Then other pages in the app attempt to retrieve the cookie (using request.getCookies() and iterating through the cookies. You can retrieve the information in a fairly cross-browser, server-independent way. You can also set attributes in the session (HttpSession.setAttribute(myUserName, username) or whatever) or do it in many other ways. Yoav Shapira Millennium ChemInformatics This e-mail, including any attachments, is a confidential business communication, and may contain information that is confidential, proprietary and/or privileged. This e-mail is intended only for the individual(s) to whom it is addressed, and may not be saved, copied, printed, disclosed or used by anyone else. If you are not the(an) intended recipient, please immediately delete this e-mail from your computer system and notify the sender. Thank you. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Form based security and Remember Me
From: John Trollinger [EMAIL PROTECTED] Sent: Thursday, February 20, 2003 12:31 PM Subject: RE: Form based security and Remember Me But does this work with Form based authenticaiton and realms... How do you let the realm know that the user remembered so the login can be bypassed? This was touched on before, but the basic problem is that a Servlet does not have a portable way of actually setting the authentication details necessary for you to do what you want to do. What you want to do, essentially, is have a servlet do your authentication before in order to bypass the containers inherent authentication mechanism. But, the API doesn't let you do this. Which means you have to implement all of your own security some other way. Which is a drag. Regards, Will Hartung ([EMAIL PROTECTED]) - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Form based security and Remember Me
A thought (just started following the thread). I can see a problem, in that the cookies may never get initialised because of the use of the checkbox. If the checkbox hasn't been selected, you'll always receive null from the form. Would suggest using a radio button instead, where the parameter will always return a value (null is definitely an error). Hope this is relevant to the thread Bill -Original Message- From: John Trollinger [mailto:[EMAIL PROTECTED]] Sent: Friday, 21 February 2003 7:32 AM To: 'Tomcat Users List' Subject: RE: Form based security and Remember Me But does this work with Form based authenticaiton and realms... How do you let the realm know that the user remembered so the login can be bypassed? John -Original Message- From: Shapira, Yoav [mailto:[EMAIL PROTECTED]] Sent: Thursday, February 20, 2003 3:23 PM To: Tomcat Users List Subject: RE: Form based security and Remember Me Howdy, I'm not doing this, and I'm one of those people who cleans their cache every time their browser is closed (12Ghosts auto wash is among the greatest tools I've ever seen for any computing purpose, ever), so Remember Me functionality doesn't typically work for me, but... Is anyone doing this at all? And if so how? Assuming remember me is a checkbox, e.g. input type=checkbox name=rememberUserRemember Me/input Then something like: String rememberUserString = request.getParameter(rememeberUser); if((rememebrUserString != null) (rememeberUserString.equalsIgnoreCase(true)) { // Create cookie Cookie userInfoCookie = new Cookie(...); response.addCookie(userInfoCookie); } Then other pages in the app attempt to retrieve the cookie (using request.getCookies() and iterating through the cookies. You can retrieve the information in a fairly cross-browser, server-independent way. You can also set attributes in the session (HttpSession.setAttribute(myUserName, username) or whatever) or do it in many other ways. Yoav Shapira Millennium ChemInformatics This e-mail, including any attachments, is a confidential business communication, and may contain information that is confidential, proprietary and/or privileged. This e-mail is intended only for the individual(s) to whom it is addressed, and may not be saved, copied, printed, disclosed or used by anyone else. If you are not the(an) intended recipient, please immediately delete this e-mail from your computer system and notify the sender. Thank you. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Form based security
Redirecting all 400 errors to your index page is a questionable practice because not all 400 (SC_BAD_REQUEST) errors are Invalid direct reference ... errors. I wish that there was a legitimate configuration change to enable you to bookmark a login.jsp page--such as a j_success_url parameter which instructs Tomcat where to send users if not doing an automated login process. PS: Check the font size defined in the blog stylesheets. They were huge in IE6. - Original Message - From: Raible, Matt [EMAIL PROTECTED] To: 'Tomcat Users List' [EMAIL PROTECTED] Sent: Thursday, February 13, 2003 08:48 Subject: RE: Form based security Here's how I solved your issue: http://tinyurl.com/5s4e HTH, Matt -Original Message- From: Sloan Seaman [mailto:[EMAIL PROTECTED]] Sent: Thursday, February 13, 2003 8:32 AM To: Tomcat Users List Subject: Re: Form based security Ok, I figured most of the things out. My next question (along the same lines) is this: I have a link to the login.jsp which is now in a security-constraint area. When they use the login.jsp successfully it complains about: Invalid direct reference to form login page How do I use the login page and define a page for a successful login? Thanks! -- Sloan - Original Message - From: Sloan Seaman [EMAIL PROTECTED] To: Tomcat Users List [EMAIL PROTECTED] Sent: Thursday, February 13, 2003 10:01 AM Subject: Re: Form based security I have a filter set up so that if they don't go to the index.jsp or login.jsp it will redirect them to the login.jsp. (is that the best way?) So basically they either go to the index.jsp or login.jsp page. How do I list a page as secure? Do I have to wirte code for the j_security_check or is this something within tomcat? - Original Message - From: Barney Hamish [EMAIL PROTECTED] To: 'Tomcat Users List' [EMAIL PROTECTED] Sent: Thursday, February 13, 2003 9:50 AM Subject: RE: Form based security Are you going directly to the login page? If so then you need to go to a page in that's listed as being secure. You will then be forwarded to the login page. When you've logged in successfully then you will be forwarded to the page you originally requested. Hamish -Original Message- From: Sloan Seaman [mailto:[EMAIL PROTECTED]] Sent: Thursday, February 13, 2003 3:48 PM To: [EMAIL PROTECTED] Subject: Form based security I'm attempting to do form based security and I keep getting a 404 error when I click the submit button. I'm guessing I'm missing some type of configuration in the server.xml. The form I am using is: form method=POST action=j_security_check input type=text name=j_username/ input type=password name=j_password/ input type=submit value=Submit /form And I have the following in my web.xml login-config auth-methodFORM/auth-method form-login-config form-login-page/login.jsp/form-login-page form-error-page/login-error.jsp/form-error-page /form-login-config /login-config Can anyone help me out here? -- Sloan - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Form based security
On Fri, Feb 14, 2003 at 03:42:21PM -0700, Sean Dockery wrote: Redirecting all 400 errors to your index page is a questionable practice because not all 400 (SC_BAD_REQUEST) errors are Invalid direct reference ... errors. I wish that there was a legitimate configuration change to enable you to bookmark a login.jsp page--such as a j_success_url parameter which instructs Tomcat where to send users if not doing an automated login process. One thought I had, which I have yet to follow up on, is to insert some sort of filter, either before the redirect-to-login-form or after the login (but before the invalid direct reference error gets thrown) that redirects the user to the welcome page. Steven J. Owens [EMAIL PROTECTED] I'm going to make broad, sweeping generalizations and strong, declarative statements, because otherwise I'll be here all night and this document will be four times longer and much less fun to read. Take it all with a grain of salt. - Me at http://darksleep.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Form based security
I could not see an easy way to determine if you were authenticated, however, using the struts tag libraries. The request tag library in the commons project does provide a means for creating a request bean, which you could then logic:test remoteUser against , but that's not exactly obvious when you want to do a simple... logic:... Welcome, bean:write ... property=remoteUser/! /logic logic:... Welcome, Guest! /logic:... :-) - Original Message - From: Raible, Matt [EMAIL PROTECTED] To: 'Tomcat Users List' [EMAIL PROTECTED] Sent: Thursday, February 13, 2003 08:56 Subject: RE: Form based security Struts can hook into container-managed security - it has support for roles in it's logic:present ... tag, in a roles attribute on it's action mappings, and also in Tiles for displaying different pages based on roles. It really does nothing special - just hooks into what's already there. If you're using form-based authentication - Struts will play nicely with it. HTH, Matt -Original Message- From: Sloan Seaman [mailto:[EMAIL PROTECTED]] Sent: Thursday, February 13, 2003 8:52 AM To: Tomcat Users List Subject: Re: Form based security Ok, I've got it now... Thanks for the information. Now my manager is saying he wasnted it all done in Struts and that Struts has a security model that I should be using. Is he wrong? I though struts was just tag libs and an MVC for hitting business logic. Time for me to learn struts now I guess... -- Sloan - Original Message - From: Barney Hamish [EMAIL PROTECTED] To: 'Tomcat Users List' [EMAIL PROTECTED] Sent: Thursday, February 13, 2003 10:33 AM Subject: RE: Form based security I think you've got the wrong idea about how the form-based security works. It is counter-intuitive I agree but anyway... Firstly the login form should not be in the secure area. Define as the default page something in the secure area. When the user tries to go to this default page tomcat will redirect them to the login page. After they've logged in successfully Tomcat wil redirect them to the page they originally asked for (i.e. the default page). You don't need a filter to do this. Tomcat does it automatically for you. Hamish -Original Message- From: Sloan Seaman [mailto:[EMAIL PROTECTED]] Sent: Thursday, February 13, 2003 4:32 PM To: Tomcat Users List Subject: Re: Form based security Ok, I figured most of the things out. My next question (along the same lines) is this: I have a link to the login.jsp which is now in a security-constraint area. When they use the login.jsp successfully it complains about: Invalid direct reference to form login page How do I use the login page and define a page for a successful login? Thanks! -- Sloan - Original Message - From: Sloan Seaman [EMAIL PROTECTED] To: Tomcat Users List [EMAIL PROTECTED] Sent: Thursday, February 13, 2003 10:01 AM Subject: Re: Form based security I have a filter set up so that if they don't go to the index.jsp or login.jsp it will redirect them to the login.jsp. (is that the best way?) So basically they either go to the index.jsp or login.jsp page. How do I list a page as secure? Do I have to wirte code for the j_security_check or is this something within tomcat? - Original Message - From: Barney Hamish [EMAIL PROTECTED] To: 'Tomcat Users List' [EMAIL PROTECTED] Sent: Thursday, February 13, 2003 9:50 AM Subject: RE: Form based security Are you going directly to the login page? If so then you need to go to a page in that's listed as being secure. You will then be forwarded to the login page. When you've logged in successfully then you will be forwarded to the page you originally requested. Hamish -Original Message- From: Sloan Seaman [mailto:[EMAIL PROTECTED]] Sent: Thursday, February 13, 2003 3:48 PM To: [EMAIL PROTECTED] Subject: Form based security I'm attempting to do form based security and I keep getting a 404 error when I click the submit button. I'm guessing I'm missing some type of configuration in the server.xml. The form I am using is: form method=POST action=j_security_check input type=text name=j_username/ input type=password name=j_password/ input type=submit value=Submit /form And I have the following in my web.xml login-config auth-methodFORM/auth-method form-login-config form-login-page/login.jsp/form-login-page form-error-page/login-error.jsp/form-error-page
RE: Form based security
Are you going directly to the login page? If so then you need to go to a page in that's listed as being secure. You will then be forwarded to the login page. When you've logged in successfully then you will be forwarded to the page you originally requested. Hamish -Original Message- From: Sloan Seaman [mailto:[EMAIL PROTECTED]] Sent: Thursday, February 13, 2003 3:48 PM To: [EMAIL PROTECTED] Subject: Form based security I'm attempting to do form based security and I keep getting a 404 error when I click the submit button. I'm guessing I'm missing some type of configuration in the server.xml. The form I am using is: form method=POST action=j_security_check input type=text name=j_username/ input type=password name=j_password/ input type=submit value=Submit /form And I have the following in my web.xml login-config auth-methodFORM/auth-method form-login-config form-login-page/login.jsp/form-login-page form-error-page/login-error.jsp/form-error-page /form-login-config /login-config Can anyone help me out here? -- Sloan - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Form based security
I have a filter set up so that if they don't go to the index.jsp or login.jsp it will redirect them to the login.jsp. (is that the best way?) So basically they either go to the index.jsp or login.jsp page. How do I list a page as secure? Do I have to wirte code for the j_security_check or is this something within tomcat? - Original Message - From: Barney Hamish [EMAIL PROTECTED] To: 'Tomcat Users List' [EMAIL PROTECTED] Sent: Thursday, February 13, 2003 9:50 AM Subject: RE: Form based security Are you going directly to the login page? If so then you need to go to a page in that's listed as being secure. You will then be forwarded to the login page. When you've logged in successfully then you will be forwarded to the page you originally requested. Hamish -Original Message- From: Sloan Seaman [mailto:[EMAIL PROTECTED]] Sent: Thursday, February 13, 2003 3:48 PM To: [EMAIL PROTECTED] Subject: Form based security I'm attempting to do form based security and I keep getting a 404 error when I click the submit button. I'm guessing I'm missing some type of configuration in the server.xml. The form I am using is: form method=POST action=j_security_check input type=text name=j_username/ input type=password name=j_password/ input type=submit value=Submit /form And I have the following in my web.xml login-config auth-methodFORM/auth-method form-login-config form-login-page/login.jsp/form-login-page form-error-page/login-error.jsp/form-error-page /form-login-config /login-config Can anyone help me out here? -- Sloan - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Form based security
Ok, I figured most of the things out. My next question (along the same lines) is this: I have a link to the login.jsp which is now in a security-constraint area. When they use the login.jsp successfully it complains about: Invalid direct reference to form login page How do I use the login page and define a page for a successful login? Thanks! -- Sloan - Original Message - From: Sloan Seaman [EMAIL PROTECTED] To: Tomcat Users List [EMAIL PROTECTED] Sent: Thursday, February 13, 2003 10:01 AM Subject: Re: Form based security I have a filter set up so that if they don't go to the index.jsp or login.jsp it will redirect them to the login.jsp. (is that the best way?) So basically they either go to the index.jsp or login.jsp page. How do I list a page as secure? Do I have to wirte code for the j_security_check or is this something within tomcat? - Original Message - From: Barney Hamish [EMAIL PROTECTED] To: 'Tomcat Users List' [EMAIL PROTECTED] Sent: Thursday, February 13, 2003 9:50 AM Subject: RE: Form based security Are you going directly to the login page? If so then you need to go to a page in that's listed as being secure. You will then be forwarded to the login page. When you've logged in successfully then you will be forwarded to the page you originally requested. Hamish -Original Message- From: Sloan Seaman [mailto:[EMAIL PROTECTED]] Sent: Thursday, February 13, 2003 3:48 PM To: [EMAIL PROTECTED] Subject: Form based security I'm attempting to do form based security and I keep getting a 404 error when I click the submit button. I'm guessing I'm missing some type of configuration in the server.xml. The form I am using is: form method=POST action=j_security_check input type=text name=j_username/ input type=password name=j_password/ input type=submit value=Submit /form And I have the following in my web.xml login-config auth-methodFORM/auth-method form-login-config form-login-page/login.jsp/form-login-page form-error-page/login-error.jsp/form-error-page /form-login-config /login-config Can anyone help me out here? -- Sloan - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Form based security
I think you've got the wrong idea about how the form-based security works. It is counter-intuitive I agree but anyway... Firstly the login form should not be in the secure area. Define as the default page something in the secure area. When the user tries to go to this default page tomcat will redirect them to the login page. After they've logged in successfully Tomcat wil redirect them to the page they originally asked for (i.e. the default page). You don't need a filter to do this. Tomcat does it automatically for you. Hamish -Original Message- From: Sloan Seaman [mailto:[EMAIL PROTECTED]] Sent: Thursday, February 13, 2003 4:32 PM To: Tomcat Users List Subject: Re: Form based security Ok, I figured most of the things out. My next question (along the same lines) is this: I have a link to the login.jsp which is now in a security-constraint area. When they use the login.jsp successfully it complains about: Invalid direct reference to form login page How do I use the login page and define a page for a successful login? Thanks! -- Sloan - Original Message - From: Sloan Seaman [EMAIL PROTECTED] To: Tomcat Users List [EMAIL PROTECTED] Sent: Thursday, February 13, 2003 10:01 AM Subject: Re: Form based security I have a filter set up so that if they don't go to the index.jsp or login.jsp it will redirect them to the login.jsp. (is that the best way?) So basically they either go to the index.jsp or login.jsp page. How do I list a page as secure? Do I have to wirte code for the j_security_check or is this something within tomcat? - Original Message - From: Barney Hamish [EMAIL PROTECTED] To: 'Tomcat Users List' [EMAIL PROTECTED] Sent: Thursday, February 13, 2003 9:50 AM Subject: RE: Form based security Are you going directly to the login page? If so then you need to go to a page in that's listed as being secure. You will then be forwarded to the login page. When you've logged in successfully then you will be forwarded to the page you originally requested. Hamish -Original Message- From: Sloan Seaman [mailto:[EMAIL PROTECTED]] Sent: Thursday, February 13, 2003 3:48 PM To: [EMAIL PROTECTED] Subject: Form based security I'm attempting to do form based security and I keep getting a 404 error when I click the submit button. I'm guessing I'm missing some type of configuration in the server.xml. The form I am using is: form method=POST action=j_security_check input type=text name=j_username/ input type=password name=j_password/ input type=submit value=Submit /form And I have the following in my web.xml login-config auth-methodFORM/auth-method form-login-config form-login-page/login.jsp/form-login-page form-error-page/login-error.jsp/form-error-page /form-login-config /login-config Can anyone help me out here? -- Sloan - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Form based security
Ok, I've got it now... Thanks for the information. Now my manager is saying he wasnted it all done in Struts and that Struts has a security model that I should be using. Is he wrong? I though struts was just tag libs and an MVC for hitting business logic. Time for me to learn struts now I guess... -- Sloan - Original Message - From: Barney Hamish [EMAIL PROTECTED] To: 'Tomcat Users List' [EMAIL PROTECTED] Sent: Thursday, February 13, 2003 10:33 AM Subject: RE: Form based security I think you've got the wrong idea about how the form-based security works. It is counter-intuitive I agree but anyway... Firstly the login form should not be in the secure area. Define as the default page something in the secure area. When the user tries to go to this default page tomcat will redirect them to the login page. After they've logged in successfully Tomcat wil redirect them to the page they originally asked for (i.e. the default page). You don't need a filter to do this. Tomcat does it automatically for you. Hamish -Original Message- From: Sloan Seaman [mailto:[EMAIL PROTECTED]] Sent: Thursday, February 13, 2003 4:32 PM To: Tomcat Users List Subject: Re: Form based security Ok, I figured most of the things out. My next question (along the same lines) is this: I have a link to the login.jsp which is now in a security-constraint area. When they use the login.jsp successfully it complains about: Invalid direct reference to form login page How do I use the login page and define a page for a successful login? Thanks! -- Sloan - Original Message - From: Sloan Seaman [EMAIL PROTECTED] To: Tomcat Users List [EMAIL PROTECTED] Sent: Thursday, February 13, 2003 10:01 AM Subject: Re: Form based security I have a filter set up so that if they don't go to the index.jsp or login.jsp it will redirect them to the login.jsp. (is that the best way?) So basically they either go to the index.jsp or login.jsp page. How do I list a page as secure? Do I have to wirte code for the j_security_check or is this something within tomcat? - Original Message - From: Barney Hamish [EMAIL PROTECTED] To: 'Tomcat Users List' [EMAIL PROTECTED] Sent: Thursday, February 13, 2003 9:50 AM Subject: RE: Form based security Are you going directly to the login page? If so then you need to go to a page in that's listed as being secure. You will then be forwarded to the login page. When you've logged in successfully then you will be forwarded to the page you originally requested. Hamish -Original Message- From: Sloan Seaman [mailto:[EMAIL PROTECTED]] Sent: Thursday, February 13, 2003 3:48 PM To: [EMAIL PROTECTED] Subject: Form based security I'm attempting to do form based security and I keep getting a 404 error when I click the submit button. I'm guessing I'm missing some type of configuration in the server.xml. The form I am using is: form method=POST action=j_security_check input type=text name=j_username/ input type=password name=j_password/ input type=submit value=Submit /form And I have the following in my web.xml login-config auth-methodFORM/auth-method form-login-config form-login-page/login.jsp/form-login-page form-error-page/login-error.jsp/form-error-page /form-login-config /login-config Can anyone help me out here? -- Sloan - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Form based security
Here's how I solved your issue: http://tinyurl.com/5s4e HTH, Matt -Original Message- From: Sloan Seaman [mailto:[EMAIL PROTECTED]] Sent: Thursday, February 13, 2003 8:32 AM To: Tomcat Users List Subject: Re: Form based security Ok, I figured most of the things out. My next question (along the same lines) is this: I have a link to the login.jsp which is now in a security-constraint area. When they use the login.jsp successfully it complains about: Invalid direct reference to form login page How do I use the login page and define a page for a successful login? Thanks! -- Sloan - Original Message - From: Sloan Seaman [EMAIL PROTECTED] To: Tomcat Users List [EMAIL PROTECTED] Sent: Thursday, February 13, 2003 10:01 AM Subject: Re: Form based security I have a filter set up so that if they don't go to the index.jsp or login.jsp it will redirect them to the login.jsp. (is that the best way?) So basically they either go to the index.jsp or login.jsp page. How do I list a page as secure? Do I have to wirte code for the j_security_check or is this something within tomcat? - Original Message - From: Barney Hamish [EMAIL PROTECTED] To: 'Tomcat Users List' [EMAIL PROTECTED] Sent: Thursday, February 13, 2003 9:50 AM Subject: RE: Form based security Are you going directly to the login page? If so then you need to go to a page in that's listed as being secure. You will then be forwarded to the login page. When you've logged in successfully then you will be forwarded to the page you originally requested. Hamish -Original Message- From: Sloan Seaman [mailto:[EMAIL PROTECTED]] Sent: Thursday, February 13, 2003 3:48 PM To: [EMAIL PROTECTED] Subject: Form based security I'm attempting to do form based security and I keep getting a 404 error when I click the submit button. I'm guessing I'm missing some type of configuration in the server.xml. The form I am using is: form method=POST action=j_security_check input type=text name=j_username/ input type=password name=j_password/ input type=submit value=Submit /form And I have the following in my web.xml login-config auth-methodFORM/auth-method form-login-config form-login-page/login.jsp/form-login-page form-error-page/login-error.jsp/form-error-page /form-login-config /login-config Can anyone help me out here? -- Sloan - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Form based security
No struts doesn't have a security model of its own but it does make it considerably easier to build your own if that's the path you want to go down -Original Message- From: Sloan Seaman [mailto:[EMAIL PROTECTED]] Sent: Thursday, February 13, 2003 4:52 PM To: Tomcat Users List Subject: Re: Form based security Ok, I've got it now... Thanks for the information. Now my manager is saying he wasnted it all done in Struts and that Struts has a security model that I should be using. Is he wrong? I though struts was just tag libs and an MVC for hitting business logic. Time for me to learn struts now I guess... -- Sloan - Original Message - From: Barney Hamish [EMAIL PROTECTED] To: 'Tomcat Users List' [EMAIL PROTECTED] Sent: Thursday, February 13, 2003 10:33 AM Subject: RE: Form based security I think you've got the wrong idea about how the form-based security works. It is counter-intuitive I agree but anyway... Firstly the login form should not be in the secure area. Define as the default page something in the secure area. When the user tries to go to this default page tomcat will redirect them to the login page. After they've logged in successfully Tomcat wil redirect them to the page they originally asked for (i.e. the default page). You don't need a filter to do this. Tomcat does it automatically for you. Hamish -Original Message- From: Sloan Seaman [mailto:[EMAIL PROTECTED]] Sent: Thursday, February 13, 2003 4:32 PM To: Tomcat Users List Subject: Re: Form based security Ok, I figured most of the things out. My next question (along the same lines) is this: I have a link to the login.jsp which is now in a security-constraint area. When they use the login.jsp successfully it complains about: Invalid direct reference to form login page How do I use the login page and define a page for a successful login? Thanks! -- Sloan - Original Message - From: Sloan Seaman [EMAIL PROTECTED] To: Tomcat Users List [EMAIL PROTECTED] Sent: Thursday, February 13, 2003 10:01 AM Subject: Re: Form based security I have a filter set up so that if they don't go to the index.jsp or login.jsp it will redirect them to the login.jsp. (is that the best way?) So basically they either go to the index.jsp or login.jsp page. How do I list a page as secure? Do I have to wirte code for the j_security_check or is this something within tomcat? - Original Message - From: Barney Hamish [EMAIL PROTECTED] To: 'Tomcat Users List' [EMAIL PROTECTED] Sent: Thursday, February 13, 2003 9:50 AM Subject: RE: Form based security Are you going directly to the login page? If so then you need to go to a page in that's listed as being secure. You will then be forwarded to the login page. When you've logged in successfully then you will be forwarded to the page you originally requested. Hamish -Original Message- From: Sloan Seaman [mailto:[EMAIL PROTECTED]] Sent: Thursday, February 13, 2003 3:48 PM To: [EMAIL PROTECTED] Subject: Form based security I'm attempting to do form based security and I keep getting a 404 error when I click the submit button. I'm guessing I'm missing some type of configuration in the server.xml. The form I am using is: form method=POST action=j_security_check input type=text name=j_username/ input type=password name=j_password/ input type=submit value=Submit /form And I have the following in my web.xml login-config auth-methodFORM/auth-method form-login-config form-login-page/login.jsp/form-login-page form-error-page/login-error.jsp/form-error-page /form-login-config /login-config Can anyone help me out here? -- Sloan - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED
RE: Form based security
Struts can hook into container-managed security - it has support for roles in it's logic:present ... tag, in a roles attribute on it's action mappings, and also in Tiles for displaying different pages based on roles. It really does nothing special - just hooks into what's already there. If you're using form-based authentication - Struts will play nicely with it. HTH, Matt -Original Message- From: Sloan Seaman [mailto:[EMAIL PROTECTED]] Sent: Thursday, February 13, 2003 8:52 AM To: Tomcat Users List Subject: Re: Form based security Ok, I've got it now... Thanks for the information. Now my manager is saying he wasnted it all done in Struts and that Struts has a security model that I should be using. Is he wrong? I though struts was just tag libs and an MVC for hitting business logic. Time for me to learn struts now I guess... -- Sloan - Original Message - From: Barney Hamish [EMAIL PROTECTED] To: 'Tomcat Users List' [EMAIL PROTECTED] Sent: Thursday, February 13, 2003 10:33 AM Subject: RE: Form based security I think you've got the wrong idea about how the form-based security works. It is counter-intuitive I agree but anyway... Firstly the login form should not be in the secure area. Define as the default page something in the secure area. When the user tries to go to this default page tomcat will redirect them to the login page. After they've logged in successfully Tomcat wil redirect them to the page they originally asked for (i.e. the default page). You don't need a filter to do this. Tomcat does it automatically for you. Hamish -Original Message- From: Sloan Seaman [mailto:[EMAIL PROTECTED]] Sent: Thursday, February 13, 2003 4:32 PM To: Tomcat Users List Subject: Re: Form based security Ok, I figured most of the things out. My next question (along the same lines) is this: I have a link to the login.jsp which is now in a security-constraint area. When they use the login.jsp successfully it complains about: Invalid direct reference to form login page How do I use the login page and define a page for a successful login? Thanks! -- Sloan - Original Message - From: Sloan Seaman [EMAIL PROTECTED] To: Tomcat Users List [EMAIL PROTECTED] Sent: Thursday, February 13, 2003 10:01 AM Subject: Re: Form based security I have a filter set up so that if they don't go to the index.jsp or login.jsp it will redirect them to the login.jsp. (is that the best way?) So basically they either go to the index.jsp or login.jsp page. How do I list a page as secure? Do I have to wirte code for the j_security_check or is this something within tomcat? - Original Message - From: Barney Hamish [EMAIL PROTECTED] To: 'Tomcat Users List' [EMAIL PROTECTED] Sent: Thursday, February 13, 2003 9:50 AM Subject: RE: Form based security Are you going directly to the login page? If so then you need to go to a page in that's listed as being secure. You will then be forwarded to the login page. When you've logged in successfully then you will be forwarded to the page you originally requested. Hamish -Original Message- From: Sloan Seaman [mailto:[EMAIL PROTECTED]] Sent: Thursday, February 13, 2003 3:48 PM To: [EMAIL PROTECTED] Subject: Form based security I'm attempting to do form based security and I keep getting a 404 error when I click the submit button. I'm guessing I'm missing some type of configuration in the server.xml. The form I am using is: form method=POST action=j_security_check input type=text name=j_username/ input type=password name=j_password/ input type=submit value=Submit /form And I have the following in my web.xml login-config auth-methodFORM/auth-method form-login-config form-login-page/login.jsp/form-login-page form-error-page/login-error.jsp/form-error-page /form-login-config /login-config Can anyone help me out here? -- Sloan - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED
Re: Form based security
Here is what I'm thinking: I'm going in configure a realm that uses a db to store the user information (I'll prob. end up posting questions about that one :) ). I'll use the taglib-request tags to provide security down to the 'within html' level. That along with the logic-present tags and tiles should get me where I need to go correct? I'll use the web.xml configuration to handle all the rest of the security. Thanks for all the help on that one. Here is another question for you: I have a servlet that I preload that loads all of my configuration info for my app. I want it to use the common-logging api to do the logging and actually use log4j. The issue I am having is that even though my log4j-conf.xml gets read in all my logging output goes to tomcat's logs and not the one's I have specified. So, two questions: Should I be preloading the servlet that way or is there someway in struts to do it? How do I get my code to use it's own log4j configuration? Again, thanks for all the help so far. - Original Message - From: Barney Hamish [EMAIL PROTECTED] To: 'Tomcat Users List' [EMAIL PROTECTED] Sent: Thursday, February 13, 2003 10:54 AM Subject: RE: Form based security No struts doesn't have a security model of its own but it does make it considerably easier to build your own if that's the path you want to go down -Original Message- From: Sloan Seaman [mailto:[EMAIL PROTECTED]] Sent: Thursday, February 13, 2003 4:52 PM To: Tomcat Users List Subject: Re: Form based security Ok, I've got it now... Thanks for the information. Now my manager is saying he wasnted it all done in Struts and that Struts has a security model that I should be using. Is he wrong? I though struts was just tag libs and an MVC for hitting business logic. Time for me to learn struts now I guess... -- Sloan - Original Message - From: Barney Hamish [EMAIL PROTECTED] To: 'Tomcat Users List' [EMAIL PROTECTED] Sent: Thursday, February 13, 2003 10:33 AM Subject: RE: Form based security I think you've got the wrong idea about how the form-based security works. It is counter-intuitive I agree but anyway... Firstly the login form should not be in the secure area. Define as the default page something in the secure area. When the user tries to go to this default page tomcat will redirect them to the login page. After they've logged in successfully Tomcat wil redirect them to the page they originally asked for (i.e. the default page). You don't need a filter to do this. Tomcat does it automatically for you. Hamish -Original Message- From: Sloan Seaman [mailto:[EMAIL PROTECTED]] Sent: Thursday, February 13, 2003 4:32 PM To: Tomcat Users List Subject: Re: Form based security Ok, I figured most of the things out. My next question (along the same lines) is this: I have a link to the login.jsp which is now in a security-constraint area. When they use the login.jsp successfully it complains about: Invalid direct reference to form login page How do I use the login page and define a page for a successful login? Thanks! -- Sloan - Original Message - From: Sloan Seaman [EMAIL PROTECTED] To: Tomcat Users List [EMAIL PROTECTED] Sent: Thursday, February 13, 2003 10:01 AM Subject: Re: Form based security I have a filter set up so that if they don't go to the index.jsp or login.jsp it will redirect them to the login.jsp. (is that the best way?) So basically they either go to the index.jsp or login.jsp page. How do I list a page as secure? Do I have to wirte code for the j_security_check or is this something within tomcat? - Original Message - From: Barney Hamish [EMAIL PROTECTED] To: 'Tomcat Users List' [EMAIL PROTECTED] Sent: Thursday, February 13, 2003 9:50 AM Subject: RE: Form based security Are you going directly to the login page? If so then you need to go to a page in that's listed as being secure. You will then be forwarded to the login page. When you've logged in successfully then you will be forwarded to the page you originally requested. Hamish -Original Message- From: Sloan Seaman [mailto:[EMAIL PROTECTED]] Sent: Thursday, February 13, 2003 3:48 PM To: [EMAIL PROTECTED] Subject: Form based security I'm attempting to do form based security and I keep getting a 404 error when I click the submit button. I'm guessing I'm missing some type of configuration in the server.xml. The form I am using is: form method=POST action=j_security_check input type=text name=j_username
Re: Form based security
Back to the validation stuff. Ok, it validates my user based on the user info in tomcat-users.xml but it doesn't seem to be putting them in their roles. When I use the request taglibs isUserInRole tag to check on things the role is always empty. Am I missing a step or do I manually have to put the use in the role? If so, How? Thanks again! -- Sloan - Original Message - From: Barney Hamish [EMAIL PROTECTED] To: 'Tomcat Users List' [EMAIL PROTECTED] Sent: Thursday, February 13, 2003 10:54 AM Subject: RE: Form based security No struts doesn't have a security model of its own but it does make it considerably easier to build your own if that's the path you want to go down -Original Message- From: Sloan Seaman [mailto:[EMAIL PROTECTED]] Sent: Thursday, February 13, 2003 4:52 PM To: Tomcat Users List Subject: Re: Form based security Ok, I've got it now... Thanks for the information. Now my manager is saying he wasnted it all done in Struts and that Struts has a security model that I should be using. Is he wrong? I though struts was just tag libs and an MVC for hitting business logic. Time for me to learn struts now I guess... -- Sloan - Original Message - From: Barney Hamish [EMAIL PROTECTED] To: 'Tomcat Users List' [EMAIL PROTECTED] Sent: Thursday, February 13, 2003 10:33 AM Subject: RE: Form based security I think you've got the wrong idea about how the form-based security works. It is counter-intuitive I agree but anyway... Firstly the login form should not be in the secure area. Define as the default page something in the secure area. When the user tries to go to this default page tomcat will redirect them to the login page. After they've logged in successfully Tomcat wil redirect them to the page they originally asked for (i.e. the default page). You don't need a filter to do this. Tomcat does it automatically for you. Hamish -Original Message- From: Sloan Seaman [mailto:[EMAIL PROTECTED]] Sent: Thursday, February 13, 2003 4:32 PM To: Tomcat Users List Subject: Re: Form based security Ok, I figured most of the things out. My next question (along the same lines) is this: I have a link to the login.jsp which is now in a security-constraint area. When they use the login.jsp successfully it complains about: Invalid direct reference to form login page How do I use the login page and define a page for a successful login? Thanks! -- Sloan - Original Message - From: Sloan Seaman [EMAIL PROTECTED] To: Tomcat Users List [EMAIL PROTECTED] Sent: Thursday, February 13, 2003 10:01 AM Subject: Re: Form based security I have a filter set up so that if they don't go to the index.jsp or login.jsp it will redirect them to the login.jsp. (is that the best way?) So basically they either go to the index.jsp or login.jsp page. How do I list a page as secure? Do I have to wirte code for the j_security_check or is this something within tomcat? - Original Message - From: Barney Hamish [EMAIL PROTECTED] To: 'Tomcat Users List' [EMAIL PROTECTED] Sent: Thursday, February 13, 2003 9:50 AM Subject: RE: Form based security Are you going directly to the login page? If so then you need to go to a page in that's listed as being secure. You will then be forwarded to the login page. When you've logged in successfully then you will be forwarded to the page you originally requested. Hamish -Original Message- From: Sloan Seaman [mailto:[EMAIL PROTECTED]] Sent: Thursday, February 13, 2003 3:48 PM To: [EMAIL PROTECTED] Subject: Form based security I'm attempting to do form based security and I keep getting a 404 error when I click the submit button. I'm guessing I'm missing some type of configuration in the server.xml. The form I am using is: form method=POST action=j_security_check input type=text name=j_username/ input type=password name=j_password/ input type=submit value=Submit /form And I have the following in my web.xml login-config auth-methodFORM/auth-method form-login-config form-login-page/login.jsp/form-login-page form-error-page/login-error.jsp/form-error-page /form-login-config /login-config Can anyone help me out here? -- Sloan - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail