RE: Repost: Double Login
Are you using cookies or URL re-writing for session identifier? Are you doing anything funky with domain names or other such trickery which would cause your cookie to not be available upon doing the forward? -Troy -Original Message- From: Nathan McMinn [mailto:[EMAIL PROTECTED]] Sent: Wednesday, January 08, 2003 9:07 AM To: [EMAIL PROTECTED] Subject: Repost: Double Login Hi all, Some of you had been kind enough to assist with this issue I posted previously. I had thought it was fixed, but it has appeared again. Any ideas? I recently switched a web application from a memory realm to a JDBC realm for authentication. After making the switch, the web app now requires that users log in twice. The app is running with SSL, and using Basic authentication. The Login.jsp page listed in the XML below as the welcome file simply sets up session objects, etc. The first login occurs before the Login.jsp page will load. Once all of the session setup is complete, the Login.jsp page forwards the user to the application's main menu. It is at this point that the system asks for another login. Has anyone seen this behavior before? I've already searched Google, JGuru, etc etc. This is the current web.xml for the application having the problem. Any help would be greatly appreciated. Thanks.. Nathan McMinn web-app mime-mapping extensionjs/extension mime-typetext/javascript/mime-type /mime-mapping welcome-file-list welcome-fileLogin.jsp/welcome-file /welcome-file-list security-constraint display-nameWWEX Security Constraint/display-name web-resource-collection web-resource-nameDELETED/web-resource-name !-- Define the context-relative URL(s) to be protected -- url-pattern/*/url-pattern /web-resource-collection auth-constraint !-- Anyone with one of the listed roles may access this area -- role-nameuser/role-name /auth-constraint user-data-constraint transport-guaranteeCONFIDENTIAL/transport-guarantee /user-data-constraint /security-constraint login-config auth-methodBASIC/auth-method realm-nameDELETED/realm-name /login-config /web-app -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: Repost: Double Login
Nope, it is just HTTP BASIC authentication, running over SSL. And there is no magic url or domain trickery going on. The really unusual part is that with a memory realm, I didn't have this problem. It only popped up after switching to a JDBC Realm. - Original Message - From: Troy J. Kelley [EMAIL PROTECTED] To: 'Tomcat Users List' [EMAIL PROTECTED] Sent: Wednesday, January 08, 2003 8:23 AM Subject: RE: Repost: Double Login Are you using cookies or URL re-writing for session identifier? Are you doing anything funky with domain names or other such trickery which would cause your cookie to not be available upon doing the forward? -Troy -Original Message- From: Nathan McMinn [mailto:[EMAIL PROTECTED]] Sent: Wednesday, January 08, 2003 9:07 AM To: [EMAIL PROTECTED] Subject: Repost: Double Login Hi all, Some of you had been kind enough to assist with this issue I posted previously. I had thought it was fixed, but it has appeared again. Any ideas? I recently switched a web application from a memory realm to a JDBC realm for authentication. After making the switch, the web app now requires that users log in twice. The app is running with SSL, and using Basic authentication. The Login.jsp page listed in the XML below as the welcome file simply sets up session objects, etc. The first login occurs before the Login.jsp page will load. Once all of the session setup is complete, the Login.jsp page forwards the user to the application's main menu. It is at this point that the system asks for another login. Has anyone seen this behavior before? I've already searched Google, JGuru, etc etc. This is the current web.xml for the application having the problem. Any help would be greatly appreciated. Thanks.. Nathan McMinn web-app mime-mapping extensionjs/extension mime-typetext/javascript/mime-type /mime-mapping welcome-file-list welcome-fileLogin.jsp/welcome-file /welcome-file-list security-constraint display-nameWWEX Security Constraint/display-name web-resource-collection web-resource-nameDELETED/web-resource-name !-- Define the context-relative URL(s) to be protected -- url-pattern/*/url-pattern /web-resource-collection auth-constraint !-- Anyone with one of the listed roles may access this area -- role-nameuser/role-name /auth-constraint user-data-constraint transport-guaranteeCONFIDENTIAL/transport-guarantee /user-data-constraint /security-constraint login-config auth-methodBASIC/auth-method realm-nameDELETED/realm-name /login-config /web-app -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: Repost: Double Login
Just a few thoughts since it looks like the JDBC realm that's causing you the problem. (And you don't say what Tomcat version you're using.) When I setup my own JDBC realm (for form-based-authentication) I noticed that its error handling wasn't all that hot. If the call errored (e.g. because I'd specified incorrect table or column names) it just looked like a failed logon. Maybe the first call is failing so the user's asked to log on again? (Tomcat 4.0.4) Also, what happens if you don't request the logon page first but request another protected page? (You may get errors generated, but at least that means your request got through...) How many times are you asked to authenticate then? If it's only one then that points to something your logon page is doing, right? Mike. - Original Message - From: Nathan McMinn [EMAIL PROTECTED] To: Tomcat Users List [EMAIL PROTECTED] Sent: Wednesday, January 08, 2003 2:26 PM Subject: Re: Repost: Double Login Nope, it is just HTTP BASIC authentication, running over SSL. And there is no magic url or domain trickery going on. The really unusual part is that with a memory realm, I didn't have this problem. It only popped up after switching to a JDBC Realm. - Original Message - From: Troy J. Kelley [EMAIL PROTECTED] To: 'Tomcat Users List' [EMAIL PROTECTED] Sent: Wednesday, January 08, 2003 8:23 AM Subject: RE: Repost: Double Login Are you using cookies or URL re-writing for session identifier? Are you doing anything funky with domain names or other such trickery which would cause your cookie to not be available upon doing the forward? -Troy -Original Message- From: Nathan McMinn [mailto:[EMAIL PROTECTED]] Sent: Wednesday, January 08, 2003 9:07 AM To: [EMAIL PROTECTED] Subject: Repost: Double Login Hi all, Some of you had been kind enough to assist with this issue I posted previously. I had thought it was fixed, but it has appeared again. Any ideas? -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: Repost: Double Login
Oh, I am running 4.0.6, using the JDBC - ODBC bridge, and the database is a D3 MultiValue system (legacy system). And after checking the logs, I find a copy of this error trace for every login java.sql.SQLException: [Microsoft][ODBC Driver Manager] Function sequence error at sun.jdbc.odbc.JdbcOdbc.createSQLException(JdbcOdbc.java:6879) at sun.jdbc.odbc.JdbcOdbc.standardError(JdbcOdbc.java:7036) at sun.jdbc.odbc.JdbcOdbc.SQLExecute(JdbcOdbc.java:3104) at sun.jdbc.odbc.JdbcOdbcPreparedStatement.execute(JdbcOdbcPreparedStatement.ja va:214) at sun.jdbc.odbc.JdbcOdbcPreparedStatement.executeQuery(JdbcOdbcPreparedStateme nt.java:89) at org.apache.catalina.realm.JDBCRealm.authenticate(JDBCRealm.java:377) at org.apache.catalina.realm.JDBCRealm.authenticate(JDBCRealm.java:326) at org.apache.catalina.authenticator.BasicAuthenticator.authenticate(BasicAuthe nticator.java:161) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase .java:506) at org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.java:5 64) at org.apache.catalina.valves.CertificatesValve.invoke(CertificatesValve.java:2 46) at org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.java:5 64) at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:472) at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:943) at org.apache.catalina.core.StandardContext.invoke(StandardContext.java:2347) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:180 ) at org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.java:5 66) at org.apache.catalina.valves.ErrorDispatcherValve.invoke(ErrorDispatcherValve. java:170) at org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.java:5 64) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:170 ) at org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.java:5 64) at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:468) at org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.java:5 64) at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:472) at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:943) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java :174) at org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.java:5 66) at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:472) at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:943) at org.apache.catalina.connector.http.HttpProcessor.process(HttpProcessor.java: 1027) at org.apache.catalina.connector.http.HttpProcessor.run(HttpProcessor.java:1125 ) at java.lang.Thread.run(Thread.java:536) - Original Message - From: Mike W-M [EMAIL PROTECTED] To: Tomcat Users List [EMAIL PROTECTED] Sent: Wednesday, January 08, 2003 9:09 AM Subject: Re: Repost: Double Login Just a few thoughts since it looks like the JDBC realm that's causing you the problem. (And you don't say what Tomcat version you're using.) When I setup my own JDBC realm (for form-based-authentication) I noticed that its error handling wasn't all that hot. If the call errored (e.g. because I'd specified incorrect table or column names) it just looked like a failed logon. Maybe the first call is failing so the user's asked to log on again? (Tomcat 4.0.4) Also, what happens if you don't request the logon page first but request another protected page? (You may get errors generated, but at least that means your request got through...) How many times are you asked to authenticate then? If it's only one then that points to something your logon page is doing, right? Mike. - Original Message - From: Nathan McMinn [EMAIL PROTECTED] To: Tomcat Users List [EMAIL PROTECTED] Sent: Wednesday, January 08, 2003 2:26 PM Subject: Re: Repost: Double Login Nope, it is just HTTP BASIC authentication, running over SSL. And there is no magic url or domain trickery going on. The really unusual part is that with a memory realm, I didn't have this problem. It only popped up after switching to a JDBC Realm. - Original Message - From: Troy J. Kelley [EMAIL PROTECTED] To: 'Tomcat Users List' [EMAIL PROTECTED] Sent: Wednesday, January 08, 2003 8:23 AM Subject: RE: Repost: Double Login Are you using cookies or URL re-writing for session identifier? Are you doing anything funky with domain names or other such trickery which would cause your cookie to not be available upon doing the forward? -Troy -Original Message- From: Nathan McMinn [mailto:[EMAIL PROTECTED]] Sent: Wednesday, January 08, 2003 9:07 AM To: [EMAIL PROTECTED] Subject: Repost: Double Login Hi all, Some of you had been kind enough to assist with this issue I posted previously. I had thought it was fixed