>From other comments on the list I added this to the top of my login.jsp
if (session.isNew())
{
String referer = request.getHeader("Referer");
if (referer == null)
{
response.sendRedirect("index.jsp");
}
else
{
response.sendRedirect(referer);
}
return;
}
Then I had a problem that people would login, view some stuff and the go to
another web site.
Of course they book marked the login page (I know they should not, but they
do).
After visiting other web pages they hit the bookmark back to the login page.
This caused the first if to fail, so I added this part. (I put a user
object in the session)
// now check remote user and session user
User u = (User)session.getAttribute("USER");
String remoteUser = request.getRemoteUser();
if(remoteUser != null && u != null)
{
if(remoteUser.equals(u.getUsername()))
{
response.sendRedirect("index.jsp");
return;
}
else
{
// seems the user does not match
session.invalidate();
response.sendRedirect("index.jsp");
return;
}
}
For my site my failed page is also login.jsp. I created my own custom login
which does some checks and uses attributes in the request to give feedback
to the users (bad password, expired account, etc).
-----Original Message-----
From: Barnet Wagman [mailto:[EMAIL PROTECTED]
Sent: Monday, May 24, 2004 2:24 PM
To: Tomcat Users List
Subject: Bug in Tomcat 5 realm example (j_security_check, again)
This really concerns using j_security_check. (I know there have been many
posts on this subject but I haven't seen the answer I need and I haven't
found much in the way of documentation on j_security_check).
Tomcat 5 comes with a simple example of how to use j_security_check for
form based login ( http://localhost:8080/jsp-examples/security/protected/,
as referred to in the "Realm Configuration HOW-TO");
The example fails to redirect correctly after a failed login.
That is, if the user enter a valid username/password combination on the
first try, everything is fine.
If not, the user gets the error page, which has link back to the login page.
If she then enters the correct username/password, she is redirected to the
/login page/. It appears that the user now is logged in. I.e. she can now
access protected pages.
In other words, the login page -> error page -> login page redirection is
'losing' the url of the originally requested page. I suspect that a simple
modification to login.jsp and error.jsp would fix this, but that requires
knowing where j_security_check put the url of the originally requested page.
I haven't founded any documentation on that.
If you know, or have any other ideas on fixing this, please let me know.
Thanks,
bw
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
