On 03/29/2004 01:10 AM Martin Alley wrote:
After further testing, I believe this is a bug specific to the JBoss environment (both 3.2.3 and 3.2.4RC1)
Martin
-----Original Message-----
From: Martin Alley [mailto:[EMAIL PROTECTED] Sent: 28 March 2004 15:24
To: 'Tomcat Users List'
Subject: RE: post data through form based authentication example?
The updated web.xml below now correctly lists the required security-role tags, but the only effect was to bring the form.html resource into the secured area (ie login is requested before accessing this page now), so I have also modified web.xml to put form.html *outside* the secured area - thus still requiring post data to transition the form based logon.
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE web-app PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN" "http://java.sun.com/dtd/web-app_2_3.dtd"> <web-app > <session-config> <session-timeout>2</session-timeout> </session-config> <security-constraint> <web-resource-collection> <web-resource-name>Signon</web-resource-name> <description>Declarative security tests</description> <!--url-pattern>/form.html</url-pattern--> <url-pattern>/process.jsp</url-pattern> <http-method>HEAD</http-method> <http-method>GET</http-method> <http-method>POST</http-method> <http-method>PUT</http-method> <http-method>DELETE</http-method> </web-resource-collection> <auth-constraint> <role-name>customer</role-name> <role-name>merchant</role-name> <role-name>admin</role-name> </auth-constraint> <user-data-constraint> <description>no description</description> <transport-guarantee>NONE</transport-guarantee> </user-data-constraint> </security-constraint>
<login-config> <auth-method>FORM</auth-method> <form-login-config> <form-login-page>/login.html</form-login-page> <form-error-page>/login.html</form-error-page> </form-login-config> </login-config>
<security-role><role-name>customer</role-name></security-role> <security-role><role-name>merchant</role-name></security-role> <security-role><role-name>admin</role-name></security-role> </web-app>
I can't see the point of protecting the POST method if the data fails to transition.
Has anyone got a working example of this?
Thanks Martin
-----Original Message-----
From: Martin Alley [mailto:[EMAIL PROTECTED] Sent: 27 March 2004 09:47
To: 'Tomcat Users List'
Subject: RE: post data through form based authentication example?
I forgot to mention it's behaviour!!
Basically when the is no security constraint, it works. When there is a security constraint, the post data gets killed.
Martin
-----Original Message-----
From: Martin Alley [mailto:[EMAIL PROTECTED] Sent: 27 March 2004 09:43
To: 'Tomcat Users List'
Subject: RE: post data through form based authentication example?
Hi Adam,
I've put together a simple test for posting to a secured resource which seems to throw up a problem. Included files are the web app. Based on JBoss3.2.3 embedded tomcat4.1.
Martin
Index.html <html> <body> <a href="form.html">form</a> </body> </html>
form.html <html> <body> <form action="process.jsp" method="post"> <input type="text" name="text1"/> <input type="submit" value="OK"/> </form> </body> </html>
login.html <html> <body> <h4>Please login:</h4> <form method="POST" action="j_security_check"> <input type="text" name="j_username"> <input type="password" name="j_password"> <input type="submit" value="OK"> </form> </body> </html>
process.jsp <html> <body> text1=<%=request.getParameter("text1")%> </body> </html>
WEB-INF\web.xml <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE web-app PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN" "http://java.sun.com/dtd/web-app_2_3.dtd">
<web-app >
<session-config> <session-timeout>2</session-timeout> </session-config>
<security-constraint> <web-resource-collection> <web-resource-name>Signon</web-resource-name> <description>Declarative security tests</description> <url-pattern>/form.html</url-pattern> <url-pattern>/process.jsp</url-pattern> <http-method>HEAD</http-method> <http-method>GET</http-method> <http-method>POST</http-method> <http-method>PUT</http-method> <http-method>DELETE</http-method> </web-resource-collection> <auth-constraint> <role-name>customer</role-name> <role-name>merchant</role-name> <role-name>admin</role-name> </auth-constraint> <user-data-constraint> <description>no description</description> <transport-guarantee>NONE</transport-guarantee> </user-data-constraint> </security-constraint>
<login-config> <auth-method>FORM</auth-method> <form-login-config> <form-login-page>/login.html</form-login-page> <form-error-page>/login.html</form-error-page> </form-login-config> </login-config>
</web-app>
WEB-INF\jboss-web.xml <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE jboss-web PUBLIC "-//JBoss//DTD Web Application 2.3//EN" "http://www.jboss.org/j2ee/dtd/jboss-web_3_0.dtd">
<jboss-web>
<security-domain>java:/jaas/authtest</security-domain>
<!-- Resource Environment References -->
<!-- Resource references -->
<!-- EJB References -->
</jboss-web>
-----Original Message-----
From: Adam Hardy [mailto:[EMAIL PROTECTED] Sent: 25 March 2004 15:10
To: Tomcat Users List
Subject: Re: post data through form based authentication example?
Martin,
I would check your problem again. That is not the normal behaviour of the container-managed login. It will cache the original request during the login and send it on to the originally requested URL.
Adam
On 03/25/2004 02:45 PM Martin Alley wrote:
Hi,
Has any one got an example of a servlet secured with form based authentication, where the request to the servlet is posted, from
outside
the secured area?
My actual situation is I already have a web application with form
based
auth working fine, but I have a problem when the user is at a web
form,
about to post the data when their session times out. Then they submit the form, get sent to the login page, and then the on to the original form processing servlet. However the post data is now lost.
I am using tomcat4.1 as bundled with JBoss 3.2.3 and the coyote connector.
Thanks in advance Martin PS I have also posted to JBoss
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
-- struts 1.1 + tomcat 5.0.16 + java 1.4.2 Linux 2.4.20 Debian
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]