Re: HTML 508 error with container authentication and virtual host
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 David, On 7/8/15 3:12 PM, David Hoffer wrote: Here is information on how we have Apache configured. Apache is the virtual host and it redirects to the (war) app deployed in Tomcat. Note it has the app name in the ProxyPass/ProxyPassReverse URL. Regarding your question on how we deploy the app, I use Tomcat's Manager app to upload a war file. Note this same Tomcat instance has several other war apps as well. Note at first we thought this was working as it does redirect to the right app and the correct login page, the problem is when they click the Login button that's when the 408 error occurs. The 408 error does not occur if we launch the app via http://localhost:8080/myapp/. The error only occurs when users use sub1.mydomain.com which is the only URL that will have access to. What are we doing wrong? We are probably missing something simple...just don't see it. Also I'd be happy to upgrade Tomcat to a later version if that would help. ##Apache: Just a ReverseProxy to the Tomcat app: VirtualHost *:80 ServerName sub1.mydomain.com ServerAlias sub1.mydomain.com ## ReverseProxy's ProxyRequests Off ProxyPreserveHost Off # Have tried both on and off Proxy * Order deny,allow Allow from all /Proxy ProxyPass / http://localhost:8080/myapp/ ProxyPassReverse / http://localhost:8080/myapp/ Changing the context path in ProxyPass(Reverse) is a recipe for many headaches and tears. Is there any way your users could tolerate adding /myapp to the end of their URLs? Or, you could re-name your WAR from myapp.war to ROOT.war and use the root context (/) instead of /myapp. - -chris -BEGIN PGP SIGNATURE- Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJVn7/iAAoJEBzwKT+lPKRY56gQAKvTUdxjUii9/a1ypVDT028U 0hhw1Uv/ZxwozzCVVK9LnUhV7ntQKfrttdBjUTR61yer0y1Z/yKm25L+zAL9Ou4s tVHi5/NdheCx1SmG68ZfJTkH6p8n2aQiDOraTwufJMLqM8z7e6XJd9PKDxwxOGU9 2BMEzbr5Lyv7oT+oj3NjhflMEESwcSgwzV46qDvgn0zav7QJgN4fgU4x2pvdQNOk 98oihJE6PA0F427rZ+W0Sb917Ly71FxqCYAwJ3K69S5XN6HIZ7EWrm7Kg+Vd5Y5e vZ3Gjv81ZwlO5mY6u/lO9TPx4yltqNsWg4gelBLYPsj2TWZbD7R0eYZjOV7Nz3Tk rFyowLeLy1F/VZWtv7vDDL7J5RN6rdZ3KQohJMHLwThwcITB9KIADqZQXPp3KWn9 PnxvExKd7Lw0yE/nAIPpNs0FOzZ964XFrn8ltykpI65HeBUzrcPuS+gvJyybUD// u4YVygy8mah6Odwb0yI55IfGblkukD7IxyKYeC+G0LAoaX/+f6VHPXw4/rHqmKl4 60DZxrKsvhzI04ilPNnX9LJ5oIizqqtTVSCj5OVKsqxrsmc0mWwmC6RiqUyWMYD6 0Eiz4okdbBP6+tNoFsr3wBh5yn9gq9zKjRv1XW9qVUGzuV0TN1IEZpK4uECP3KyD 1h3+gMwOdt0Lu8OG3NZq =UpYE -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: HTML 508 error with container authentication and virtual host
2015-07-07 19:05 GMT+03:00 David Hoffer dhoff...@gmail.com: My bad. I recalled the error wrong...it's 408. HTTP Status 408 - The time allowed for the login process has been exceeded. If you wish to continue you must either click back twice and re-click the link you requested or close and re-open your browser Error 408 means that your HTTP session has expired. (or similar problem such as if the request does not contain a correct sessionid cookie) Effectively, Tomcat does not know where to redirect your user after successful authentication, as that address (the original request) is kept in the session. As a workaround against session expirations it is possible to configure a default landing address http://tomcat.apache.org/tomcat-7.0-doc/config/valve.html#Form_Authenticator_Valve Best regards, Konstantin Kolinko - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: HTML 508 error with container authentication and virtual host
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 David, On 7/7/15 11:14 AM, David Hoffer wrote: Here is the relevant parts of the web.xml. I didn't do the Apache configuration so I'll have to get more details there but I was told that is no different than how we configure virtual hosts for other apps that don't use Tomcat's authentication. E.g. it seems Tomcat is requiring to have the app's name in the URL...not a subdomain. Well, /of course/ Tomcat requires the app's name in the URL. That's how Tomcat figures out which application should take the request. Where is your application deployed? What WAR file (or exploded-WAR directory)? Any other details that might help explain what's going on? As André said, none of us has a crystal ball (well... one of us does, but he's been MIA for quite a long time). FORM authentication works in Tomcat, whether through an httpd-based proxy or not. Most of us use it /all the time/. - -chris -BEGIN PGP SIGNATURE- Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJVnStSAAoJEBzwKT+lPKRYrjUP/2DO0eK+Ee1r2SqqVBRZjvtK KsDWGY1lq/n2OELZYCRYCoiVCSwYJZ5qbe9x34GFSSLR9Ictrpo5zS4f3UhxdK5N INeWzvQy6WlDcu962bGopNqLedrpFJBGPbrbY3mP13bm2KByjbbrD7z8LqQrnlUM GyHLPpgWfwbaPdG+2sVG4Xi0oa/uqCGGW7XkcUCq+0IXCDKnxHmwgxERrb1T4b3y Yq0uG644pZ3ZhDQaWhtC9ENXz6+Nw0WW82k6OfyyR7bs7m/axqfDa8G45s33hJXV KK0GPR2Ke19xvILJ9xM6K4Bvss4y61O7TGhrfpUujniKDrmArDoJ7gALHDyCpguE CJ2P743d4KL2bDt3Kpvc3Pct615dtIECn7+0fiJP/wZP9r7PhV0jm0srxmVF/29W rgfJhNEMGsAmHKHjY7f7LIbJPO9t2sY7khwR5TmL8rjvD1ryAadkrxTTNngeV8/L +h063CkbVX4+jQ9S5/QLdcD/CtL8iYE/p29FS60o+b5JwiBeOGjxnuJl0ahu9EIa 4Q3tuMn8jtFc8mxvvSIL2I2ErRx+4mQECJwZsCnMPmD+k+dgSuGndt7avG8Jrfk/ XqS36lNth9O916Xkgp9bKPpxOD5o5EXfXLFInr+nuew7V3Tbm0zjfsDiLx4YuQgM NkOj5Rfv9gikgn9nq3Au =7b2b -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: HTML 508 error with container authentication and virtual host
Here is information on how we have Apache configured. Apache is the virtual host and it redirects to the (war) app deployed in Tomcat. Note it has the app name in the ProxyPass/ProxyPassReverse URL. Regarding your question on how we deploy the app, I use Tomcat's Manager app to upload a war file. Note this same Tomcat instance has several other war apps as well. Note at first we thought this was working as it does redirect to the right app and the correct login page, the problem is when they click the Login button that's when the 408 error occurs. The 408 error does not occur if we launch the app via http://localhost:8080/myapp/. The error only occurs when users use sub1.mydomain.com which is the only URL that will have access to. What are we doing wrong? We are probably missing something simple...just don't see it. Also I'd be happy to upgrade Tomcat to a later version if that would help. ##Apache: Just a ReverseProxy to the Tomcat app: VirtualHost *:80 ServerName sub1.mydomain.com ServerAlias sub1.mydomain.com ## ReverseProxy's ProxyRequests Off ProxyPreserveHost Off # Have tried both on and off Proxy * Order deny,allow Allow from all /Proxy ProxyPass / http://localhost:8080/myapp/ ProxyPassReverse / http://localhost:8080/myapp/ On Wed, Jul 8, 2015 at 7:53 AM, Christopher Schultz ch...@christopherschultz.net wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 David, On 7/7/15 11:14 AM, David Hoffer wrote: Here is the relevant parts of the web.xml. I didn't do the Apache configuration so I'll have to get more details there but I was told that is no different than how we configure virtual hosts for other apps that don't use Tomcat's authentication. E.g. it seems Tomcat is requiring to have the app's name in the URL...not a subdomain. Well, /of course/ Tomcat requires the app's name in the URL. That's how Tomcat figures out which application should take the request. Where is your application deployed? What WAR file (or exploded-WAR directory)? Any other details that might help explain what's going on? As André said, none of us has a crystal ball (well... one of us does, but he's been MIA for quite a long time). FORM authentication works in Tomcat, whether through an httpd-based proxy or not. Most of us use it /all the time/. - -chris -BEGIN PGP SIGNATURE- Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJVnStSAAoJEBzwKT+lPKRYrjUP/2DO0eK+Ee1r2SqqVBRZjvtK KsDWGY1lq/n2OELZYCRYCoiVCSwYJZ5qbe9x34GFSSLR9Ictrpo5zS4f3UhxdK5N INeWzvQy6WlDcu962bGopNqLedrpFJBGPbrbY3mP13bm2KByjbbrD7z8LqQrnlUM GyHLPpgWfwbaPdG+2sVG4Xi0oa/uqCGGW7XkcUCq+0IXCDKnxHmwgxERrb1T4b3y Yq0uG644pZ3ZhDQaWhtC9ENXz6+Nw0WW82k6OfyyR7bs7m/axqfDa8G45s33hJXV KK0GPR2Ke19xvILJ9xM6K4Bvss4y61O7TGhrfpUujniKDrmArDoJ7gALHDyCpguE CJ2P743d4KL2bDt3Kpvc3Pct615dtIECn7+0fiJP/wZP9r7PhV0jm0srxmVF/29W rgfJhNEMGsAmHKHjY7f7LIbJPO9t2sY7khwR5TmL8rjvD1ryAadkrxTTNngeV8/L +h063CkbVX4+jQ9S5/QLdcD/CtL8iYE/p29FS60o+b5JwiBeOGjxnuJl0ahu9EIa 4Q3tuMn8jtFc8mxvvSIL2I2ErRx+4mQECJwZsCnMPmD+k+dgSuGndt7avG8Jrfk/ XqS36lNth9O916Xkgp9bKPpxOD5o5EXfXLFInr+nuew7V3Tbm0zjfsDiLx4YuQgM NkOj5Rfv9gikgn9nq3Au =7b2b -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: HTML 508 error with container authentication and virtual host
My bad. I recalled the error wrong...it's 408. HTTP Status 408 - The time allowed for the login process has been exceeded. If you wish to continue you must either click back twice and re-click the link you requested or close and re-open your browser On Tue, Jul 7, 2015 at 9:36 AM, Mark Thomas ma...@apache.org wrote: On 07/07/2015 15:13, David Hoffer wrote: I've added FORM container authentication with Tomcat and everything works fine as long as users use the full URL to the app (URL in Tomcat's manager app). However users want to use a different URL based on a virtual host, e.g. myapp.mycompany.com. It brings the users to the app no problem but then when they try to login Tomcat reports a 508 error, how do I solve this? Nope. Tomcat never issues a 508 response. Wherever that is coming from it isn't Tomcat code. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: HTML 508 error with container authentication and virtual host
Here is the relevant parts of the web.xml. I didn't do the Apache configuration so I'll have to get more details there but I was told that is no different than how we configure virtual hosts for other apps that don't use Tomcat's authentication. E.g. it seems Tomcat is requiring to have the app's name in the URL...not a subdomain. security-constraint web-resource-collection web-resource-namePublic/web-resource-name url-pattern/login.jsp/url-pattern url-pattern/error.jsp/url-pattern /web-resource-collection /security-constraint security-constraint web-resource-collection web-resource-nameWildcard means whole app requires authentication/web-resource-name url-pattern/*/url-pattern http-methodGET/http-method http-methodPOST/http-method /web-resource-collection auth-constraint role-namemyapp-user/role-name /auth-constraint user-data-constraint transport-guaranteeNONE/transport-guarantee /user-data-constraint /security-constraint login-config auth-methodFORM/auth-method form-login-config form-login-page/login.jsp/form-login-page form-error-page/error.jsp/form-error-page /form-login-config /login-config session-config session-timeout60/session-timeout /session-config On Tue, Jul 7, 2015 at 8:55 AM, André Warnier a...@ice-sa.com wrote: David Hoffer wrote: 1. Apache Tomcat/7.0.55 (Ubuntu) 2. Hum I don't think so...it works fine when using the full URL, e.g. www.mycompany.com:8080/myapp its only when we use Apache wait.. what, how ? you are using an Apache httpd front-end ? you never mentioned that before. We have no crystal ball here, so we are trying to guess your configuration, to try to guess what the problem may be. But if you are hiding things for us, this could take a long time. We may also need to know how exactly you are proxying from Apache httpd to Tomcat then. Anyway, also send your webapp's web.xml. From your (incomplete) description so far, it looks as if your may re-directing to the wrong place, which re-directs to the wrong place, which re-directs to the wrong place and so on. You are probably doing your very own DOS attack on your own server. :-) You may be able to figure this out by yourself, if you think about what really happens, step by step. so users can get to this same app via myapp.mycompany.com that we get the 508 error from Tomcat. 3. I don't think we have made any changes to Tomcat's server.xml but here is a copy. ?xml version='1.0' encoding='utf-8'? Server port=8005 shutdown=SHUTDOWN Listener className=org.apache.catalina.core.JasperListener / Listener className=org.apache.catalina.core.JreMemoryLeakPreventionListener / Listener className=org.apache.catalina.mbeans.GlobalResourcesLifecycleListener / Listener className=org.apache.catalina.core.ThreadLocalLeakPreventionListener / GlobalNamingResources Resource name=UserDatabase auth=Container type=org.apache.catalina.UserDatabase description=User database that can be updated and saved factory=org.apache.catalina.users.MemoryUserDatabaseFactory pathname=conf/tomcat-users.xml / /GlobalNamingResources Service name=Catalina Connector port=8080 protocol=HTTP/1.1 connectionTimeout=2 URIEncoding=UTF-8 redirectPort=8443 / Engine name=Catalina defaultHost=localhost Realm className=org.apache.catalina.realm.LockOutRealm Realm className=org.apache.catalina.realm.UserDatabaseRealm resourceName=UserDatabase/ /Realm Host name=localhost appBase=webapps unpackWARs=true autoDeploy=true Valve className=org.apache.catalina.valves.AccessLogValve directory=logs prefix=localhost_access_log. suffix=.txt pattern=%h %l %u %t quot;%rquot; %s %b / /Host /Engine /Service /Server On Tue, Jul 7, 2015 at 8:28 AM, André Warnier a...@ice-sa.com wrote: Hi. David Hoffer wrote: I've added FORM container authentication with Tomcat and everything works fine as long as users use the full URL to the app (URL in Tomcat's manager app). However users want to use a different URL based on a virtual host, e.g. myapp.mycompany.com. It brings the users to the app no problem but then when they try to login Tomcat reports a 508 error, how do I solve this? The URL in the browser when this happens is myapp.mycompany.com/j_security_check 1) to save time to everyone in the end, please provide at least the full version of Tomcat that you are using. 2) HTTP status code 508 indicates that some server resource limit has been reached. That points to some kind of infinite loop. That would tend to hint at the fact that whatever your login form is pointing to, maybe itself is a protected location and so on.. 3) Anyway, your
Re: HTML 508 error with container authentication and virtual host
On 07/07/2015 15:13, David Hoffer wrote: I've added FORM container authentication with Tomcat and everything works fine as long as users use the full URL to the app (URL in Tomcat's manager app). However users want to use a different URL based on a virtual host, e.g. myapp.mycompany.com. It brings the users to the app no problem but then when they try to login Tomcat reports a 508 error, how do I solve this? Nope. Tomcat never issues a 508 response. Wherever that is coming from it isn't Tomcat code. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
HTML 508 error with container authentication and virtual host
I've added FORM container authentication with Tomcat and everything works fine as long as users use the full URL to the app (URL in Tomcat's manager app). However users want to use a different URL based on a virtual host, e.g. myapp.mycompany.com. It brings the users to the app no problem but then when they try to login Tomcat reports a 508 error, how do I solve this? The URL in the browser when this happens is myapp.mycompany.com/j_security_check -Dave
Re: HTML 508 error with container authentication and virtual host
1. Apache Tomcat/7.0.55 (Ubuntu) 2. Hum I don't think so...it works fine when using the full URL, e.g. www.mycompany.com:8080/myapp its only when we use Apache so users can get to this same app via myapp.mycompany.com that we get the 508 error from Tomcat. 3. I don't think we have made any changes to Tomcat's server.xml but here is a copy. ?xml version='1.0' encoding='utf-8'? Server port=8005 shutdown=SHUTDOWN Listener className=org.apache.catalina.core.JasperListener / Listener className=org.apache.catalina.core.JreMemoryLeakPreventionListener / Listener className=org.apache.catalina.mbeans.GlobalResourcesLifecycleListener / Listener className=org.apache.catalina.core.ThreadLocalLeakPreventionListener / GlobalNamingResources Resource name=UserDatabase auth=Container type=org.apache.catalina.UserDatabase description=User database that can be updated and saved factory=org.apache.catalina.users.MemoryUserDatabaseFactory pathname=conf/tomcat-users.xml / /GlobalNamingResources Service name=Catalina Connector port=8080 protocol=HTTP/1.1 connectionTimeout=2 URIEncoding=UTF-8 redirectPort=8443 / Engine name=Catalina defaultHost=localhost Realm className=org.apache.catalina.realm.LockOutRealm Realm className=org.apache.catalina.realm.UserDatabaseRealm resourceName=UserDatabase/ /Realm Host name=localhost appBase=webapps unpackWARs=true autoDeploy=true Valve className=org.apache.catalina.valves.AccessLogValve directory=logs prefix=localhost_access_log. suffix=.txt pattern=%h %l %u %t quot;%rquot; %s %b / /Host /Engine /Service /Server On Tue, Jul 7, 2015 at 8:28 AM, André Warnier a...@ice-sa.com wrote: Hi. David Hoffer wrote: I've added FORM container authentication with Tomcat and everything works fine as long as users use the full URL to the app (URL in Tomcat's manager app). However users want to use a different URL based on a virtual host, e.g. myapp.mycompany.com. It brings the users to the app no problem but then when they try to login Tomcat reports a 508 error, how do I solve this? The URL in the browser when this happens is myapp.mycompany.com/j_security_check 1) to save time to everyone in the end, please provide at least the full version of Tomcat that you are using. 2) HTTP status code 508 indicates that some server resource limit has been reached. That points to some kind of infinite loop. That would tend to hint at the fact that whatever your login form is pointing to, maybe itself is a protected location and so on.. 3) Anyway, your question above would be a lot clearer (and it would also save time), if you copy and paste the content of your Tomcat's server.xml file, below here : (please remove any comments and confidential information) - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: HTML 508 error with container authentication and virtual host
Hi. David Hoffer wrote: I've added FORM container authentication with Tomcat and everything works fine as long as users use the full URL to the app (URL in Tomcat's manager app). However users want to use a different URL based on a virtual host, e.g. myapp.mycompany.com. It brings the users to the app no problem but then when they try to login Tomcat reports a 508 error, how do I solve this? The URL in the browser when this happens is myapp.mycompany.com/j_security_check 1) to save time to everyone in the end, please provide at least the full version of Tomcat that you are using. 2) HTTP status code 508 indicates that some server resource limit has been reached. That points to some kind of infinite loop. That would tend to hint at the fact that whatever your login form is pointing to, maybe itself is a protected location and so on.. 3) Anyway, your question above would be a lot clearer (and it would also save time), if you copy and paste the content of your Tomcat's server.xml file, below here : (please remove any comments and confidential information) - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: HTML 508 error with container authentication and virtual host
André Warnier wrote: Hi. David Hoffer wrote: I've added FORM container authentication with Tomcat and everything works fine as long as users use the full URL to the app (URL in Tomcat's manager app). However users want to use a different URL based on a virtual host, e.g. myapp.mycompany.com. It brings the users to the app no problem but then when they try to login Tomcat reports a 508 error, how do I solve this? The URL in the browser when this happens is myapp.mycompany.com/j_security_check 1) to save time to everyone in the end, please provide at least the full version of Tomcat that you are using. 2) HTTP status code 508 indicates that some server resource limit has been reached. That points to some kind of infinite loop. That would tend to hint at the fact that whatever your login form is pointing to, maybe itself is a protected location and so on.. 3) Anyway, your question above would be a lot clearer (and it would also save time), if you copy and paste the content of your Tomcat's server.xml file, below here : (please remove any comments and confidential information) Addendum : I think that you should also provide a copy of your webapp's WEB-INF/web.xml file here. Again, remove any passwords, real hostnames etc.. (but be consistent : replace the same thing by the same thing always.) - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: HTML 508 error with container authentication and virtual host
David Hoffer wrote: 1. Apache Tomcat/7.0.55 (Ubuntu) 2. Hum I don't think so...it works fine when using the full URL, e.g. www.mycompany.com:8080/myapp its only when we use Apache wait.. what, how ? you are using an Apache httpd front-end ? you never mentioned that before. We have no crystal ball here, so we are trying to guess your configuration, to try to guess what the problem may be. But if you are hiding things for us, this could take a long time. We may also need to know how exactly you are proxying from Apache httpd to Tomcat then. Anyway, also send your webapp's web.xml. From your (incomplete) description so far, it looks as if your may re-directing to the wrong place, which re-directs to the wrong place, which re-directs to the wrong place and so on. You are probably doing your very own DOS attack on your own server. :-) You may be able to figure this out by yourself, if you think about what really happens, step by step. so users can get to this same app via myapp.mycompany.com that we get the 508 error from Tomcat. 3. I don't think we have made any changes to Tomcat's server.xml but here is a copy. ?xml version='1.0' encoding='utf-8'? Server port=8005 shutdown=SHUTDOWN Listener className=org.apache.catalina.core.JasperListener / Listener className=org.apache.catalina.core.JreMemoryLeakPreventionListener / Listener className=org.apache.catalina.mbeans.GlobalResourcesLifecycleListener / Listener className=org.apache.catalina.core.ThreadLocalLeakPreventionListener / GlobalNamingResources Resource name=UserDatabase auth=Container type=org.apache.catalina.UserDatabase description=User database that can be updated and saved factory=org.apache.catalina.users.MemoryUserDatabaseFactory pathname=conf/tomcat-users.xml / /GlobalNamingResources Service name=Catalina Connector port=8080 protocol=HTTP/1.1 connectionTimeout=2 URIEncoding=UTF-8 redirectPort=8443 / Engine name=Catalina defaultHost=localhost Realm className=org.apache.catalina.realm.LockOutRealm Realm className=org.apache.catalina.realm.UserDatabaseRealm resourceName=UserDatabase/ /Realm Host name=localhost appBase=webapps unpackWARs=true autoDeploy=true Valve className=org.apache.catalina.valves.AccessLogValve directory=logs prefix=localhost_access_log. suffix=.txt pattern=%h %l %u %t quot;%rquot; %s %b / /Host /Engine /Service /Server On Tue, Jul 7, 2015 at 8:28 AM, André Warnier a...@ice-sa.com wrote: Hi. David Hoffer wrote: I've added FORM container authentication with Tomcat and everything works fine as long as users use the full URL to the app (URL in Tomcat's manager app). However users want to use a different URL based on a virtual host, e.g. myapp.mycompany.com. It brings the users to the app no problem but then when they try to login Tomcat reports a 508 error, how do I solve this? The URL in the browser when this happens is myapp.mycompany.com/j_security_check 1) to save time to everyone in the end, please provide at least the full version of Tomcat that you are using. 2) HTTP status code 508 indicates that some server resource limit has been reached. That points to some kind of infinite loop. That would tend to hint at the fact that whatever your login form is pointing to, maybe itself is a protected location and so on.. 3) Anyway, your question above would be a lot clearer (and it would also save time), if you copy and paste the content of your Tomcat's server.xml file, below here : (please remove any comments and confidential information) - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org