----- Original Message -----
From: "Mike Curwen" <[EMAIL PROTECTED]>
To: "'Tomcat Users List'" <[EMAIL PROTECTED]>
Sent: Saturday, August 02, 2003 12:45 AM
Subject: RE: FORM Login Bypassed
> When your dispatcher does the translation, does it forward or include
> the 'actual' resource ? Meaning it takes place entirely server-side ?
This is how I dispatched it:
RequestDispatcher rd = request.getRequestDispatcher(resource);
// Forward resource, resource is the URL. IE:
"/computers/admin/index.jsp"
try {
rd.forward(request, response);
} catch (ServletException e) {...}
> If you did a sendRedirect, that would then make the browser request the
> protected resource directly, which would invoke the AUTH, if the AUTH is
> configured correctly. And it looks right to me.
How do you do a sendRedirect? Sorry, I'm still quite green in servlet
programming...
> What it sounds like is that once you are on the server-side (by
> requesting the un-protected /dispatcher resource) that any server-side
> forwards or includes are not being authenticated. I wasn't aware that
> was the case.
>
> It works this way for filters though, but in the next servlet spec (2.4)
> we'll have filter mappings being honoured for forwards and includes as
> well (configurable).
Thanks alot for the help and info!
>
> > -----Original Message-----
> > From: Ronnie [mailto:[EMAIL PROTECTED]
> > Sent: Friday, August 01, 2003 11:35 AM
> > To: [EMAIL PROTECTED]
> > Subject: FORM Login Bypassed
> >
> >
> > Hi!
> >
> > I have this web application using FORM login access but I am
> > having problem directing the navigation to the defined login
> > page when user clicks on a secure link.
> >
> > You see, I am using a DispatcherServlet as a navigation
> > controller to direct users to the correct page and the URL is
> > coded as:
> >
> > <a href="dispatcher?action=admin">admin</a>
> >
> > Where "dispatcher" is the URL name of the DispatcherServlet.
> > In the servlet, "admin" is translated to
> > "/computers/admin/index.jsp" from values coded in web.xml.
> >
> > Now when I declare the protected url-pattern as
> > "/computers/admin/*" as below, when I click on the above link
> > the login page is bypassed and I can access the admin index
> > page without logging in.
> >
> > <security-constraint>
> > <web-resource-collection>
> > <web-resource-name>Administration
> > functions</web-resource-name>
> > <!--
> > <url-pattern>dispatcher?action=admin</url-pattern> Does
> > not work! -->
> > <url-pattern>/computers/admin/*</url-pattern>
> > </web-resource-collection>
> > <auth-constraint>
> > <!-- Anyone with one of the listed roles may access
> > this area -->
> > <role-name>admin</role-name>
> > </auth-constraint>
> >
> > <!-- HTTPS/SSL-->
> > <user-data-constraint>
> > <transport-guarantee>CONFIDENTIAL</transport-guarantee>
> > </user-data-constraint>
> > </security-constraint>
> >
> > <login-config>
> > <auth-method>FORM</auth-method>
> > <form-login-config>
> > <form-login-page>dispatcher?action=adminLogin</form-login-page>
> > <form-error-page>dispatcher?action=adminLoginFail</form-error-page>
> > </form-login-config>
> > </login-config>
> >
> > To overcome this I had to hardcode the link in my webpage as:
> > <a href="/Computers/computers/admin/index.jsp">admin</a>
> >
> > I wish to keep my navigation based on logical names. Is there
> > a work-around or solution to this problem?
> >
> >
> >
> > Regards,
> > Ronnie Choo
> > Singapore
> >
> >
> >
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
