you'd be surprised. I've got about 130 users on an app here, and we require them to change their password every 90 days.
There's about 9-10 people who ALWAYS get flagged, but from THEIR machine! One girl cleared out her cache and it worked. The rest of them? We had them clear out their disk cache, their temp files, reboot, everything, and they still get this. And the odd thing is, I added a second page with the same params to try and "fool Tomcat," to no avail. Strangely enough though, they can appropriately get to other files and pages in the secure realm, just not that one. So I send those people a non-protected link and let them change it. One thing I didn't try which probably would make zero difference is dropping a package and then reimporting it and rebuilding. Like I said, I'm sure it wouldn't help, but I don't know why some people could get there and others not, and a couple were helped by clearing browser cache and others still not. -----Original Message----- From: Michael Teter [mailto:[EMAIL PROTECTED] Sent: Tuesday, April 15, 2008 6:30 AM To: Post-to Tomcat Users Subject: that old problem - Invalid direct reference to form login page Howdy. I've just spent two hours Googling, Yahooing, and searching the Tomcat list for a fix for this problem: PROBLEM (with steps leading to) I attempt to access a private page (myview.jsp) Tomcat 5.5 properly sends me to login.jsp I enter my username/password, submit, and my JNDIRealm LDAP lookup is made I get the error page: HTTP Status 400 - Invalid direct reference to form login page This is a pretty simple case. Everything I've seen on forums related to this problem focus on the idea that the user has directly requested the login page. I absolutely haven't done that. I've tried adding some stuff to the top of the login.jsp (as per a suggestion on one of the Sun forums) to send the request elsewhere if the session exists. I've explored a lot of things, but it still makes no sense to me. My best guess is that there's something wrong with my Realm definition in server.xml, or in my security stuff in web.xml. So for reference, here are the interesting bits of each: ----- server.xml ---- <Context path="/ui2" docBase="C:\work\ui2" privileged="true" reloadable="true" cookies="true" debug="true"> <Realm className = "org.apache.catalina.realm.JNDIRealm" debug = "99" connectionURL = "ldap://192.168.223.129:3268"; connectionName = "vm2003\ldapqueryuser" connectionPassword = "supersecret" referrals = "follow" userBase = "dc=vm2003,dc=local" userSearch = "(sAMAccountName={0})" userSubtree = "true" digest = "MD5" roleBase = "dc=vm2003,dc=local" roleName = "cn" roleSubtree = "true" roleSearch = "(member={0})" /> <!-- end of realm --> ... /> <!-- end of context --> ----- web.xml ---- ... <security-constraint> <web-resource-collection> <web-resource-name>Protected Area</web-resource-name> <url-pattern>/*</url-pattern> </web-resource-collection> <auth-constraint> <role-name>ui2users</role-name> </auth-constraint> </security-constraint> <login-config> <auth-method>FORM</auth-method> <form-login-config> <form-login-page>/login.jsp</form-login-page> <form-error-page>/login-failure.jsp</form-error-page> </form-login-config> </login-config> <security-role> <role-name>ui2users</role-name> </security-role> ... __________________ I've spent time in book on safari.oreilly, reading countless tutorials and docs online, and I'm at a dead end. I surely hope someone see's where I've made a mistake. Thanks, Michael --------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
