No formal bug report yet. The current state of play is at http://www.jboss.org/index.html?module=bb&op=viewtopic&t=47595
If you would like to add your weight to this observation... Thanks Martin -----Original Message----- From: Adam Hardy [mailto:[EMAIL PROTECTED] Sent: 29 March 2004 09:17 To: Tomcat Users List Subject: Re: post data through form based authentication example? Hmm. You're right. I just tested it on my JBoss (running 3.2.4RC1 with tomcat 5.0.19) and I got the same effect. Rats! This is not good. Trying to get info out of JBoss is like trying to get blood out of a stones. I assume there's a bug report? I haven't looked at JBoss's bugzilla yet. On 03/29/2004 01:10 AM Martin Alley wrote: > After further testing, I believe this is a bug specific to the JBoss > environment (both 3.2.3 and 3.2.4RC1) > > Martin > > -----Original Message----- > From: Martin Alley [mailto:[EMAIL PROTECTED] > Sent: 28 March 2004 15:24 > To: 'Tomcat Users List' > Subject: RE: post data through form based authentication example? > > The updated web.xml below now correctly lists the required security-role > tags, but the only effect was to bring the form.html resource into the > secured area (ie login is requested before accessing this page now), so > I have also modified web.xml to put form.html *outside* the secured area > - thus still requiring post data to transition the form based logon. > > <?xml version="1.0" encoding="UTF-8"?> > <!DOCTYPE web-app PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application > 2.3//EN" "http://java.sun.com/dtd/web-app_2_3.dtd";> > <web-app > > <session-config> > <session-timeout>2</session-timeout> > </session-config> > <security-constraint> > <web-resource-collection> > <web-resource-name>Signon</web-resource-name> > <description>Declarative security tests</description> > <!--url-pattern>/form.html</url-pattern--> > <url-pattern>/process.jsp</url-pattern> > <http-method>HEAD</http-method> > <http-method>GET</http-method> > <http-method>POST</http-method> > <http-method>PUT</http-method> > <http-method>DELETE</http-method> > </web-resource-collection> > <auth-constraint> > <role-name>customer</role-name> > <role-name>merchant</role-name> > <role-name>admin</role-name> > </auth-constraint> > <user-data-constraint> > <description>no description</description> > <transport-guarantee>NONE</transport-guarantee> > </user-data-constraint> > </security-constraint> > > <login-config> > <auth-method>FORM</auth-method> > <form-login-config> > <form-login-page>/login.html</form-login-page> > <form-error-page>/login.html</form-error-page> > </form-login-config> > </login-config> > > <security-role><role-name>customer</role-name></security-role> > <security-role><role-name>merchant</role-name></security-role> > <security-role><role-name>admin</role-name></security-role> > </web-app> > > I can't see the point of protecting the POST method if the data fails to > transition. > > Has anyone got a working example of this? > > Thanks > Martin > > -----Original Message----- > From: Martin Alley [mailto:[EMAIL PROTECTED] > Sent: 27 March 2004 09:47 > To: 'Tomcat Users List' > Subject: RE: post data through form based authentication example? > > I forgot to mention it's behaviour!! > > Basically when the is no security constraint, it works. When there is a > security constraint, the post data gets killed. > > Martin > > > -----Original Message----- > From: Martin Alley [mailto:[EMAIL PROTECTED] > Sent: 27 March 2004 09:43 > To: 'Tomcat Users List' > Subject: RE: post data through form based authentication example? > > Hi Adam, > > I've put together a simple test for posting to a secured resource which > seems to throw up a problem. Included files are the web app. Based on > JBoss3.2.3 embedded tomcat4.1. > > Martin > > Index.html > <html> > <body> > <a href="form.html">form</a> > </body> > </html> > > form.html > <html> > <body> > <form action="process.jsp" method="post"> > <input type="text" name="text1"/> > <input type="submit" value="OK"/> > </form> > </body> > </html> > > login.html > <html> > <body> > <h4>Please login:</h4> > <form method="POST" action="j_security_check"> > <input type="text" name="j_username"> > <input type="password" name="j_password"> > <input type="submit" value="OK"> > </form> > </body> > </html> > > process.jsp > <html> > <body> > text1=<%=request.getParameter("text1")%> > </body> > </html> > > WEB-INF\web.xml > <?xml version="1.0" encoding="UTF-8"?> > <!DOCTYPE web-app PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application > 2.3//EN" "http://java.sun.com/dtd/web-app_2_3.dtd";> > > <web-app > > > > <session-config> > <session-timeout>2</session-timeout> > </session-config> > > <security-constraint> > <web-resource-collection> > <web-resource-name>Signon</web-resource-name> > <description>Declarative security tests</description> > <url-pattern>/form.html</url-pattern> > <url-pattern>/process.jsp</url-pattern> > <http-method>HEAD</http-method> > <http-method>GET</http-method> > <http-method>POST</http-method> > <http-method>PUT</http-method> > <http-method>DELETE</http-method> > </web-resource-collection> > <auth-constraint> > <role-name>customer</role-name> > <role-name>merchant</role-name> > <role-name>admin</role-name> > </auth-constraint> > <user-data-constraint> > <description>no description</description> > <transport-guarantee>NONE</transport-guarantee> > </user-data-constraint> > </security-constraint> > > <login-config> > <auth-method>FORM</auth-method> > <form-login-config> > <form-login-page>/login.html</form-login-page> > <form-error-page>/login.html</form-error-page> > </form-login-config> > </login-config> > > </web-app> > > WEB-INF\jboss-web.xml > <?xml version="1.0" encoding="UTF-8"?> > <!DOCTYPE jboss-web PUBLIC "-//JBoss//DTD Web Application 2.3//EN" > "http://www.jboss.org/j2ee/dtd/jboss-web_3_0.dtd";> > > <jboss-web> > > <security-domain>java:/jaas/authtest</security-domain> > > <!-- Resource Environment References --> > > <!-- Resource references --> > > <!-- EJB References --> > > </jboss-web> > > > -----Original Message----- > From: Adam Hardy [mailto:[EMAIL PROTECTED] > Sent: 25 March 2004 15:10 > To: Tomcat Users List > Subject: Re: post data through form based authentication example? > > Martin, > I would check your problem again. That is not the normal behaviour of > the container-managed login. It will cache the original request during > the login and send it on to the originally requested URL. > > Adam > > On 03/25/2004 02:45 PM Martin Alley wrote: > >>Hi, >> >>Has any one got an example of a servlet secured with form based >>authentication, where the request to the servlet is posted, from > > outside > >>the secured area? >> >>My actual situation is I already have a web application with form > > based > >>auth working fine, but I have a problem when the user is at a web > > form, > >>about to post the data when their session times out. Then they submit >>the form, get sent to the login page, and then the on to the original >>form processing servlet. However the post data is now lost. >> >>I am using tomcat4.1 as bundled with JBoss 3.2.3 and the coyote >>connector. >> >>Thanks in advance >>Martin >>PS I have also posted to JBoss >> >> >> >>--------------------------------------------------------------------- >>To unsubscribe, e-mail: [EMAIL PROTECTED] >>For additional commands, e-mail: [EMAIL PROTECTED] >> >> > > > -- struts 1.1 + tomcat 5.0.16 + java 1.4.2 Linux 2.4.20 Debian --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
