Sorry for the long explanation but this is a tricky problem that has me stumped. I hope someone else has experienced this.
We are having a strange problem with FORM based authentication that we can't figure out. It seems to be an issue with the tomcat org.apache.catalina.authenticator.FormAuthenticator class. Can you please pass this on to your tech team to find a solution? Use Case #1: Works fine. . Type in protected resource into browser URL bar. Click enter key. ( http://mysite.com/app/mypage.jsp ) . We are redirected to the login page. Enter username, password. Hit enter. . We are taken to the original URL that we requested. Use Case #2: Fails all the time . Visit a user's profile page. (profile.jsp). This is an unprotected resource so you can view without loging in: ( http:// <http://%20mysite.com/app/Profile.jsp?name=ROCK> mysite.com/app/Profile.jsp?name=ROCK ) . Click on any action link or button on the page. These are all disabled in "not logged in" mode. A dialog pop-up asks the user if they want to login. . Using javascript a protected resource URL is generated and then (window.location.href = newAddress ) is set to the protected resource string: (http://www.mysite.com/app/a.lookup?name=ROCK ). This URL is mapped to a secured servlet. . The login page is presented to the user with the http://www.mysite.com/app/a.lookup?name=ROCK URL showing in the browser url bar. . Enter user/pass and click login -> This generates a 400 error with message: Invalid direct reference to form login page. This URL is now displayed in the URL bar: http://www.mysite.com/app/j_security_check HTTP Status 400 - Invalid direct reference to form login page _____ type Status report message Invalid direct reference to form login page description The request sent by the client was syntactically incorrect (Invalid direct reference to form login page). _____ Apache Tomcat/5.5.20 Use Case #2 Extended: Here is the real weird behavior. . After following all the steps in Use Case #2, type in http://mysite.com/app/mypage.jsp on the 400 error page and hit enter. . You are redirected back to the login page. Make sure username and password are empty. Hit enter again. . The control page NOW loads. The first login in user case #2 worked, but it didn't perform the redirect properly. After adding these to log4j.xml I can see the problem from the log file, but am not sure what is causing it. <category name="org.apache.catalina.authenticator"> <priority value="DEBUG"/> </category> <category name="org.jboss.security.auth.spi"> <priority value="DEBUG"/> </category> Here is the log output for case 1: Note the blue line, this is key in showing why case 2 is failing: 11:00:01,783 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Calling authenticate() 11:00:01,783 INFO [STDOUT] 11:00:01,783 INFO [com.mysite.web.MysiteSessionContextListener] sessionCreated(): Starting 11:00:01,783 INFO [STDOUT] 11:00:01,783 INFO [com.mysite.web.MysiteSessionContextListener] sessionCreated(): Starting 11:00:01,783 INFO [STDOUT] 11:00:01,783 INFO [com.mysite.web.MysiteSessionContextListener] sessionCreated(): Ending 11:00:01,783 INFO [STDOUT] 11:00:01,783 INFO [com.mysite.web.MysiteSessionContextListener] sessionCreated(): Ending 11:00:01,783 DEBUG [org.apache.catalina.authenticator.FormAuthenticator] Save request in session '9C4BD2BD9D4E092A3B2CB56B39FC81FD' 11:00:01,783 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Failed authenticate() test 11:00:01,955 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Security checking request GET /mysite/captcha 11:00:01,955 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Not subject to any constraint 11:00:08,939 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Security checking request POST /mysite/j_security_check 11:00:08,939 DEBUG [org.apache.catalina.authenticator.FormAuthenticator] Authenticating username 'qq' 11:00:08,939 DEBUG [org.apache.catalina.authenticator.FormAuthenticator] Authentication of 'qq' was successful 11:00:08,939 DEBUG [org.apache.catalina.authenticator.FormAuthenticator] Redirecting to original '/mysite/' 11:00:08,939 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Failed authenticate() test ??/mysite/j_security_check 11:00:08,955 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Security checking request GET /mysite/ 11:00:08,955 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Calling hasUserDataPermission() 11:00:08,955 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Calling authenticate() 11:00:08,955 DEBUG [org.apache.catalina.authenticator.FormAuthenticator] Restore request from session '9C4BD2BD9D4E092A3B2CB56B39FC81FD' 11:00:08,955 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Authenticated 'qq' with type 'FORM' 11:00:08,955 DEBUG [org.apache.catalina.authenticator.FormAuthenticator] Proceed to restored request 11:00:08,955 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Calling accessControl() 11:00:08,955 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Successfully passed all security constraints 11:00:09,017 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Security checking request GET /mysite/CP.jsp 11:00:09,017 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] We have cached auth type FORM for principal GenericPrincipal[qq(user,)] 11:00:09,017 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Calling hasUserDataPermission() 11:00:09,017 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Calling authenticate() 11:00:09,017 DEBUG [org.apache.catalina.authenticator.FormAuthenticator] Already authenticated 'qq' 11:00:09,017 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Calling accessControl() 11:00:09,017 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Successfully passed all security constraints 11:00:09,017 INFO [STDOUT] 11:00:09,017 DEBUG [com.mysite.ejb.bean.MysiteUserBean] findUserByEmail(): Starting 11:00:09,017 INFO [STDOUT] 11:00:09,017 DEBUG [com.mysite.ejb.bean.MysiteUserBean] findUserByEmail(): Starting 11:00:09,017 INFO [STDOUT] 11:00:09,017 DEBUG [com.mysite.ejb.bean.MysiteUserBean] getConfigValue(): Starting: config key = UserDBUtils_findUserByEmail Here is the output for case #2: 17:52:22,709 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Security checking request GET /mysite/a.lookup 17:52:22,709 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Calling hasUserDataPermission() 17:52:22,709 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Calling authenticate() 17:52:22,709 DEBUG [org.apache.catalina.authenticator.FormAuthenticator] Save request in session '923F8EA1684EBEB574BD0498B66B807C' 17:52:22,740 INFO [STDOUT] 17:52:22,740 INFO [com.mysite.web.MysiteSessionContextListener] sessionDestroyed(): Starting 17:52:22,772 INFO [STDOUT] 17:52:22,740 INFO [com.mysite.web.MysiteSessionContextListener] sessionDestroyed(): Starting 17:52:22,772 INFO [STDOUT] 17:52:22,772 INFO [com.mysite.web.MysiteSessionContextListener] sessionDestroyed(): Ending 17:52:22,772 INFO [STDOUT] 17:52:22,772 INFO [com.mysite.web.MysiteSessionContextListener] sessionDestroyed(): Ending 17:52:22,787 DEBUG [org.jboss.security.plugins.JaasSecurityManager.Mysite] CallbackHandler: [EMAIL PROTECTED] 17:52:22,787 DEBUG [org.jboss.security.plugins.JaasSecurityManagerService] Created [EMAIL PROTECTED] 17:52:22,787 DEBUG [org.jboss.security.plugins.JaasSecurityManager.Mysite] CachePolicy set to: [EMAIL PROTECTED] 17:52:22,787 DEBUG [org.jboss.security.plugins.JaasSecurityManagerService] setCachePolicy, [EMAIL PROTECTED] 17:52:22,787 DEBUG [org.jboss.security.plugins.JaasSecurityManagerService] Added Mysite, [EMAIL PROTECTED] to map 17:52:22,787 INFO [STDOUT] 17:52:22,787 ERROR [AppLogin.jsp] Caught Err: java.lang.IllegalStateException: getAttribute: Session already invalidated 17:52:22,819 INFO [STDOUT] 17:52:22,819 DEBUG [AppLogin.jsp] principle = null: autoLogin = false: remoteUser = null 17:52:22,819 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Failed authenticate() test 17:52:22,928 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Security checking request GET /mysite/js/loginPage/loginPage1913M.js 17:52:22,928 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Not subject to any constraint 17:52:22,960 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Security checking request GET /mysite/js/widget/popup/calendar/epoch_classes.js 17:52:22,960 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Not subject to any constraint 17:52:23,007 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Security checking request GET /mysite/captcha 17:52:23,007 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Not subject to any constraint 17:52:23,477 INFO [STDOUT] 17:52:23,477 INFO [com.mysite.web.MysiteSessionContextListener] sessionCreated(): Starting 17:52:23,477 INFO [STDOUT] 17:52:23,477 INFO [com.mysite.web.MysiteSessionContextListener] sessionCreated(): Starting 17:52:23,477 INFO [STDOUT] 17:52:23,477 INFO [com.mysite.web.MysiteSessionContextListener] sessionCreated(): Ending 17:52:23,477 INFO [STDOUT] 17:52:23,477 INFO [com.mysite.web.MysiteSessionContextListener] sessionCreated(): Ending 17:52:29,163 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Security checking request POST /mysite/j_security_check 17:52:29,163 DEBUG [org.apache.catalina.authenticator.FormAuthenticator] Authenticating username 'qq' 17:52:29,178 DEBUG [org.apache.catalina.authenticator.FormAuthenticator] Authentication of 'qq' was successful 17:52:29,178 DEBUG [org.apache.catalina.authenticator.FormAuthenticator] Redirecting to original 'null' ********** HERE IS THE PROLEM 17:52:29,178 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Failed authenticate() test ??/mysite/j_security_check As you can see from the log files, Case #2 fails because the original protected resource URL request was lost. This is the javascript function called when the login page submit is clicked. function submitLogin(){ var u = ""; var p = ""; var frm = getObject("frmLogin"); try { username = $("j_username").value, password = $("j_password").value } catch (ex){ showMsg("Login Error", "Login email / password not given.", true); return; } if(getObject('rememberMe').checked == true){ ajax.JSON_post( '/' + path + '/RememberMe.ucmd', { type : 'RememberMe', username: username, password: password }, function (connectionInstance){ var response = connectionInstance.responseObject; if(response.success == true){ // create cookies here var expires = new Date(); expires.setTime(expires.getTime() + 24 * 30 * 60 * 60 * 1000); // sets it for approx 30 days. setCookie("emailCookie", username, expires, ""); setCookie("passCookie", password, expires, ""); frm.submit(); } else { showMsg('Login Erorr', response.errorMsg, true); } }, function (connectionInstance){ } ); } else { frm.submit(); } } We are using J2EE Form based Authentication. Under jboss/server/default/conf/login-config.xml I have defined: <application-policy name="Mysite"> <authentication> <login-module code="org.jboss.security.auth.spi.DatabaseServerLoginModule" flag="required"> <module-option name="dsJndiName">java:/MysiteDS</module-option> <module-option name="principalsQuery"> select passwd from user where email=? </module-option> <module-option name="rolesQuery"> select role_name,'Roles' from user_role WHERE user_role.email=? </module-option> <module-option name = "unauthenticatedIdentity">AnonymousUser</module-option> <module-option name="debug">true</module-option> </login-module> </authentication> </application-policy> And in mysite project's web.xml file I have: // This is repeated for the many resources we have protected, this is just one example. <security-constraint> <web-resource-collection> <web-resource-name>Protected Area</web-resource-name> <!-- Define the context-relative URL(s) to be protected --> <url-pattern>/mypage.jsp</url-pattern> <http-method>DELETE</http-method> <http-method>GET</http-method> <http-method>POST</http-method> <http-method>PUT</http-method> </web-resource-collection> <auth-constraint> <role-name>user</role-name> </auth-constraint> <user-data-constraint> <transport-guarantee>NONE</transport-guarantee> </user-data-constraint> </security-constraint> <!-- Default login configuration uses form-based authentication --> <login-config> <auth-method>FORM</auth-method> <realm-name>Example Form-Based Authentication Area</realm-name> <form-login-config> <form-login-page>/jsp/login/AppLogin.jsp</form-login-page> <form-error-page>/jsp/LoginError.login?badLogin=1</form-error-page> </form-login-config> </login-config>
