OK, so here is where I am at. I have such that, when a user tries to access
a servlet (e.g.: http://localhost:8080/dev/servlet/ProtectedPage) they get
forwarded to a Login JSP page specified by my web.xml. Here is the problem,
when the user tries to login the Login form appears again, yet the URL is
shown as http://localhost:8080/dev/servlet/ProtectedPage. Why doesn't my
ProtectedPage servlet appear? I am really stuck. Below is my web.xml file:
<security-constraint>
<display-name>Example Security Constraint</display-name>
<web-resource-collection>
<web-resource-name>Protected Area</web-resource-name>
<!-- Define the context-relative URL(s) to be protected -->
<url-pattern>/servlet/*</url-pattern>
<url-pattern>/jsp/security/*</url-pattern>
<!-- If you list http methods, only those methods are protected -->
<http-method>DELETE</http-method>
<http-method>GET</http-method>
<http-method>POST</http-method>
<http-method>PUT</http-method>
</web-resource-collection>
<auth-constraint>
<!-- Anyone with one of the listed roles may access this area -->
<role-name>user</role-name>
<role-name>tomcat</role-name>
</auth-constraint>
</security-constraint>
<!-- Default login configuration uses form-based authentication -->
<login-config>
<auth-method>FORM</auth-method>
<realm-name>Example Form-Based Authentication Area</realm-name>
<form-login-config>
<form-login-page>/jsp/security/login.jsp</form-login-page>
<form-error-page>/jsp/security/error.jsp</form-error-page>
</form-login-config>
</login-config>
Kevin Andryc
Web Systems Engineer
MISER
http://www.umass.edu/miser/
Phone: (413)-545-3460
[EMAIL PROTECTED]
-----Original Message-----
From: John Gregg [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, July 02, 2002 04:48 PM
To: 'Tomcat Users List'
Subject: RE: j_security_check question
No can do-ski. The container needs to know where to send the user upon
successful authentication, but if your application presents a form to a user
that gets submitted to j_security_check, the Tomcat authentication stuff
won't know where to send the user when the operation completes. Your
web.xml and login.jsp look ok. You just don't want your application to
serve a page that goes to j_security_check directly. Instead, Tomcat
decides automagically when you need to login. It then inserts itself into
the application flow by remembering where the user was trying to go, sending
the login page that you specify, then redirecting (or forwarding?) the user
to that place upon successful login. Before using container-managed
security I was so used to creating AND SERVING my own login pages that it
took a while to wrap my brain around the fact that I no longer had to do
stuff like "if (req.getSession(false)) == null) then send login page...."
Just code your servlet to do what you want and let Tomcat worry about
when/if to present the login page. The URL you'll access will be the
servlet or jsp that kicks off your business logic, not the login logic.
john
-----Original Message-----
From:
[EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED].
org]On Behalf Of Kevin Andryc
Sent: Tuesday, July 02, 2002 1:40 PM
To: Tomcat Users List; [EMAIL PROTECTED]
Subject: RE: j_security_check question
CustomLogin.class is a resource at a protected URL which also contains the
login form. So here is how it works (or how I would like it to work). I have
a CustomLogin class:
CustomLogin.class (located in /dev/WEB-INF/classes/)
public class CustomLogin extends HttpServlet {
public CustomLogin() {
super();
}
public void doGet(HttpServletRequest request, HttpServletResponse
response)
{
performTask(request, response);
}
public void doPost(HttpServletRequest request, HttpServletResponse
response) {
performTask(request, response);
}
public void performTask(HttpServletRequest request,
HttpServletResponse
response) {
try {
String jspPage = "login.jsp";
RequestDispatcher rd =
getServletContext().getRequestDispatcher("/jsp/security/" + jspPage);
rd.forward(request, response);
}
catch(Exception e) {
e.printStackTrace();
}
}
}
login.jsp (located in /dev/jsp/security/)
<html>
<head>
<title>Login Page for Examples</title>
<body bgcolor="white">
<form method="POST" action='<%= response.encodeURL("j_security_check") %>' >
<table border="0" cellspacing="5">
<tr>
<th align="right">Username:</th>
<td align="left"><input type="text" name="j_username"></td>
</tr>
<tr>
<th align="right">Password:</th>
<td align="left"><input type="password" name="j_password"></td>
</tr>
<tr>
<td align="right"><input type="submit" value="Log In"></td>
<td align="left"><input type="reset"></td>
</tr>
</table>
</form>
</body>
</html>
web.xml
<security-constraint>
<display-name>Example Security Constraint</display-name>
<web-resource-collection>
<web-resource-name>Protected Area</web-resource-name>
<!-- Define the context-relative URL(s) to be protected -->
<url-pattern>/servlet/*</url-pattern>
<!-- If you list http methods, only those methods are protected -->
<http-method>DELETE</http-method>
<http-method>GET</http-method>
<http-method>POST</http-method>
<http-method>PUT</http-method>
</web-resource-collection>
<auth-constraint>
<!-- Anyone with one of the listed roles may access this area -->
<role-name>user</role-name>
</auth-constraint>
</security-constraint>
<!-- Default login configuration uses form-based authentication -->
<login-config>
<auth-method>FORM</auth-method>
<realm-name>Example Form-Based Authentication Area</realm-name>
<form-login-config>
<form-login-page>/servlet/CustomLogin</form-login-page>
<form-error-page>/jsp/security/error.jsp</form-error-page>
</form-login-config>
</login-config>
The user will type in the URL:
http://localhost:8080/dev/servlet/CustomLogin. The login form does appear.
But once I enter the login information (username and password) the "Invalid
direct reference to form login page" appears. What I want it to have the
user type in http://localhost:8080/dev/servlet/CustomLogin and login. If
they are successful, then it should then direct them to the CustomLogin
servlet so I can get the user information and customize the page according
to who is logged in. I hope this makes sense. I just can't seem to get it to
work or how to make it work.
Thanks,
Kevin
Kevin Andryc
Web Systems Engineer
MISER
http://www.umass.edu/miser/
Phone: (413)-545-3460
[EMAIL PROTECTED]
--
To unsubscribe, e-mail:
<mailto:[EMAIL PROTECTED]>
For additional commands, e-mail:
<mailto:[EMAIL PROTECTED]>
--
To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
