Hi,
I've changed the web.xml to the following:
<security-constraint>
<display-name>HP Admin Security Constraint</display-name>
<web-resource-collection>
<web-resource-name>Protected Area</web-resource-name>
<url-pattern>/admin/index.jsp</url-pattern>
<url-pattern>/admin/products.jsp</url-pattern>
<url-pattern>/admin/groups.jsp</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>admin</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<realm-name>users</realm-name>
<form-login-config>
<form-login-page>/admin/login.jsp</form-login-page>
<form-error-page>/jsp/error.jsp?code=login</form-error-page>
</form-login-config>
</login-config>
<!-- Security roles referenced by this web application -->
<security-role>
<role-name>admin</role-name>
</security-role>
, so as you can see the login.jsp page is not in the secured area any more.
At the moment, I do get directed to the login.jsp but when I try to submit
the form to 'j_security_check' I get the following error from IIS:
HTTP 405 - Resource not allowed.
When I modify uriworkermap.properties to include j_security_check, I get
redirected to a '404' error from Tomcat (based on my <error-page> settings
in web.xml). When I consult my MySQL logs I can see that Tomcat does not
even reach the stage where it should try to authenticate using MySQL.
Here is the relevant bit from my localhost_hp_log.txt
----Log starts---
2003-02-14 10:15:23 Authenticator[/HP]: Security checking request POST
/HP/admin/j_security_check
2003-02-14 10:15:23 Authenticator[/HP]: Already authenticated ''
2003-02-14 10:15:23 Authenticator[/HP]: Not subject to any constraint
2003-02-14 10:15:23 StandardContext[/HP]: Mapping contextPath='/HP' with
requestURI='/HP/admin/j_security_check' and
relativeURI='/admin/j_security_check'
2003-02-14 10:15:23 StandardContext[/HP]: Mapped to servlet 'default' with
servlet path '/admin/j_security_check' and path info 'null' and update=true
2003-02-14 10:15:23 StandardContext[/HP]: Mapping contextPath='/HP' with
requestURI='/HP/jsp/error.jsp' and relativeURI='/jsp/error.jsp'
2003-02-14 10:15:23 StandardContext[/HP]: Mapped to servlet 'jsp' with
servlet path '/jsp/error.jsp' and path info 'null' and update=true
----Log ends---
Also, for some reason when I go to /admin it takes quite a long time (about
5 sec) to redirect me to login.jsp, whereas when I go to /admin on port 8080
it goes much quicker and it add the jsessionid=XXXX to the URL (which it
doesn't do with IIS)
Thanks,
Paul
-----Original Message-----
From: Sean Dockery [mailto:[EMAIL PROTECTED]]
Sent: 14 February 2003 04:08
To: Tomcat Users List
Subject: Re: Tomcat 4.1.12 Form authentication with IIS 5
What happens when you move your form-login-page outside of the /admin/
folder?
Sean Dockery
[EMAIL PROTECTED]
Certified Java Web Component Developer
Certified Delphi Programmer
SBD Consultants
http://www.sbdconsultants.com
----- Original Message -----
From: "Paul Bothma" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Thursday, February 13, 2003 06:11
Subject: Tomcat 4.1.12 Form authentication with IIS 5
> Hi,
>
> I'm using Tomcat 4.1.12 with IIS 5. When I connect directly to
> http://localhost:8080/HP/admin/ the Tomcat FORM authentication works fine,
> but when I try to connect to http://localhost/HP/admin I get the following
> error:
>
> HTTP Status 403 - Access to the requested resource has been denied
>
> --------------------------------------------------------------------------
--
> ----
>
> type Status report
>
> message Access to the requested resource has been denied
>
> description Access to the specified resource (Access to the requested
> resource has been denied) has been forbidden.
>
>
> --------------------------------------------------------------------------
--
> ----
>
> Apache Tomcat/4.1.12
>
> Here is the relevant extract from my web.xml file:
>
> <security-constraint>
> <display-name>HP Administration</display-name>
> <web-resource-collection>
> <web-resource-name>Protected Area</web-resource-name>
> <url-pattern>/admin/*</url-pattern>
> </web-resource-collection>
> <auth-constraint>
> <role-name>HP_admin</role-name>
> </auth-constraint>
> </security-constraint>
>
> <login-config>
> <auth-method>FORM</auth-method>
> <realm-name>users</realm-name>
> <form-login-config>
> <form-login-page>/admin/login.jsp</form-login-page>
> <form-error-page>/error.html</form-error-page>
> </form-login-config>
> </login-config>
>
>
> <!-- Security roles referenced by this web application -->
> <security-role>
> <role-name>HP_admin</role-name>
> </security-role>
>
> I'm using the isapi_redirect.dll filter in IIS to redirect any request to
> *.jsp to Tomcat. (Works fine outside of the secure sections)
>
> Any ideas on how to correct this error.
>
> Paul
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
