Here is my app directory structure under Tomcat :
$TOMCAT_HOME
webapps
myApp
WEB-INF
....
The files I want secured are /do (instead of X.do, the
files appear as /do/X).
The other thing I'm seeing, as well as the login
issues mentioned previously, is the fact that if I
successfully login the first time into the site, close
my browser, and then try to authenticate with invalid
data, it logs me in correctly with the previous
attributes.
For example, say my valid login is
validLogin/validPass. If I try to auth the first time
into the site with validLogin/validPass it
authenticates correctly. However, if I close my
browser and try to go back in and authenticate with
garbagelogin/garbagepass (which doesn't exist in my
DB), it still authenticates me as
validLogin/validPass. This is not correct, and is
another symptom of something I'm doing incorrectly.
Has anyone else seen this type of behavior?
Dave, it seems like changing <url-pattern>/do/*</url-pattern> to <url-pattern>*</url-pattern> will make everything secure, which isn't the outcome I
am looking for...
Thanks for any info...
Quenten
--- David Brown <[EMAIL PROTECTED]> wrote:
Quenten Van Egeren writes:
> I'm having the following problem when using FORM
based
> authentication with Tomcat 4.1.12 : > > When I bring up a new browser window, and go to a
> protected page (under /do/) I am redirected to the
> login.jsp as I should be. If I enter the correct
> username / password, I am logged in correctly and
> forwarded back to the page I was trying to access.
> This all works correctly. > > However, if I enter garbage for a username and
> password, I am redirected to the error.jsp page,
which
> is also correct. I then click the link on the
> error.jsp page that takes me back to the login.jsp
> page and try to login again with a valid
> username/password combo, and it instantly
redirects me
> back to the error.jsp page. This isn't correct
(as
> far as I can tell) since it should have
successfully
> authed me the second time into the page. > > I was wondering if anyone else had run into this
> issue, or if there was something I was missing in
one
> of the config files or my web.xml file. > > I am also using struts, but I don't think that has
> anything to do with this error, since it appears
to be
> a j_security_check setup issue somehow. > > Any help would be greatly appreciated. > > Thanks, > > Quenten > > Here is my code : > > +++++ my application web.xml +++++
> <security-constraint>
> <display-name>Security Constraint</display-name>
> <web-resource-collection>
> <web-resource-name>Protected
Area</web-resource-name>
> <url-pattern>/do/*</url-pattern>
> <http-method>GET</http-method>
> <http-method>POST</http-method>
> <http-method>PUT</http-method>
> </web-resource-collection>
> <auth-constraint>
> <role-name>eadmin</role-name>
> <role-name>member</role-name>
> </auth-constraint>
> </security-constraint> > > <login-config>
> <auth-method>FORM</auth-method>
> <realm-name>My JDBCRealm</realm-name>
> <form-login-config>
> <form-login-page>/login.jsp</form-login-page> > <form-error-page>/error.jsp</form-error-page>
> </form-login-config>
> /login-config> > > <security-role>
> <description>admin role.</description>
> <role-name>eadmin</role-name>
> </security-role>
> <security-role>
> <description>member role.</description>
> <role-name>member</role-name>
> </security-role> > > +++++ tomcat server.xml +++++ > > <Realm > className="org.apache.catalina.realm.JDBCRealm"
> debug="50" > driverName="org.postgresql.Driver" >
connectionURL="jdbc:postgresql://localhost:5432/mydb?user=postgres:password=postgres"> userTable="members" userNameCol="login"
> userCredCol="password"
> userRoleTable="member_roles_view"
> roleNameCol="user_role" /> > > +++++ my login.jsp +++++
> <html>
> <head>
> <title>Login Page for Examples</title>
> <body bgcolor="white">
> <form method="POST" action='<%=
> response.encodeURL("j_security_check") %>' >
> <table border="0" cellspacing="5">
> <tr>
> <th align="right">Username:</th>
> <td align="left"><input type="text"
> name="j_username"></td>
> </tr>
> <tr>
> <th align="right">Password:</th>
> <td align="left"><input type="password"
> name="j_password"></td>
> </tr>
> <tr>
> <td align="right"><input type="submit"
> value="Log In"></td>
> <td align="left"><input type="reset"></td>
> </tr>
> </table>
> </form>
> </body>
> </html> > > +++++ my error.jsp +++++
> <html>
> <head>
> <title>Error Page For Examples</title>
> </head>
> <body bgcolor="white">
> Invalid username and/or password, please try
> <a href='<%= response.encodeURL("login.jsp")
> %>'>again</a>.
> </body>
> </html> > > > > > __________________________________________________
> Do you Yahoo!?
> Yahoo! Mail Plus � Powerful. Affordable. Sign up
now.
> http://mailplus.yahoo.com > > --
> To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]>
> For additional commands, e-mail:
<mailto:[EMAIL PROTECTED]> >
Hello Quenten, if ur web.xml is:
$TOMCAT_HOME
|
/webapps
|
/do
|
/WEB-INF
then change ur web.xml tag:
<security-constraint>
<url-pattern>/do/*
to only:
<url-pattern>*</url-pattern>
hope this helps, david.
--
To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail:
<mailto:[EMAIL PROTECTED]>
__________________________________________________
Do you Yahoo!?
Yahoo! Mail Plus � Powerful. Affordable. Sign up now.
http://mailplus.yahoo.com
--
To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
Hello Quenten, look at the directory tree again. if ur webapp is being built correctly then u should have a different web.xml for each app u build. thus, making each webapp directory unique and therefore using: <url-pattern>*</url-pattern> only makes everything secure below this point in the directory tree:
$TOMCAT_HOME
|
/webapps
|
/do <----------------- security starts here
|
/WEB-INF/web.xml
let me contrast this:
$TOMCAT_HOME
|
/webapps
|
/\
/ \
/ \
/ \
unsecured --> /did /do <-- secured
| |
/WEB-INF/web.xml /WEB-INF/web.xml
/did is not secure because no security constraint has been defined. if however i wanted /did secure it would still do the same namely:
<url-pattern>*</url-pattern> in its own web.xml
this works 4 me i have several apps both secure and unsecured spread over 4 virtual domains. the secured apps r also run under ssl under the same parent directories but with their own directory and web.xml. hope this helps, david.
--
To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
