Up to now I had always thought I understood the security aspects of
the Servlet spec quite well. Looks like I was wrong...
[Problem]
Upon session time-out the request is not forwarded to the login page
(form based auth). Nothing happens on the UI. However, forwarding to
the login page does work during the initially login into the
application.
[Setup]
Tomcat 5.0.28, but the behavior is the same in 5.5.
Application entry page at /app/app.jsp.
Entry Servlet at /app/AppServlet.
Login page at /public/login.jsp.
web.xml looks like this:
<security-constraint>
<web-resource-collection>
<web-resource-name>myapp</web-resource-name>
<url-pattern>/app/app.jsp</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
<http-method>PUT</http-method>
<http-method>DELETE</http-method>
</web-resource-collection>
<web-resource-collection>
<web-resource-name>myapp</web-resource-name>
<url-pattern>/app/AppServlet</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
<http-method>PUT</http-method>
<http-method>DELETE</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>*</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/public/login.jsp</form-login-page>
<form-error-page>/public/login.jsp?retry=true</form-error-page>
</form-login-config>
</login-config>
<security-role>
<role-name>*</role-name>
</security-role>
When I initially request /app/app.jsp Tomcat forwards to /public/
login.jsp as expected, I can login (using JDBCRealm) and will be
forwarded to /app/app.jsp.
[Analysis]
I started Tomcat in debug mode with debug log level and set a
breakpoint in FormAuthenticator.authenticate(HttpRequest,
HttpResponse, LoginConfig). I see that eventually
RequestDispatcher#forward() is invoked because it was detected that
the request needs to be authenticated. I followed the control flow to
ApplicationDispatcher.doForward(ServletRequest, ServletResponse) but
nothing seems to be wrong - at least to me. The log contains the
following:
23:27:55,251 DEBUG AuthenticatorBase:413 - [] Security checking
request POST /app/AppServlet
23:27:55,252 DEBUG RealmBase:422 - [] Checking constraint
'SecurityConstraint[myapp, myapp]' against POST /app/AppServlet --> true
23:27:55,253 DEBUG AuthenticatorBase:484 - Calling
hasUserDataPermission()
23:27:55,253 DEBUG RealmBase:752 - User data constraint has no
restrictions
23:27:55,254 DEBUG AuthenticatorBase:502 - Calling authenticate()
23:28:25,246 DEBUG FormAuthenticator:208 - Save request in session
'2E77E8D1AF28AA5369AE8DCD334960C5'
// Why would the servletPath be empyt? Potential problem?
23:28:27,500 DEBUG ApplicationDispatcher:148 - servletPath=, pathInfo=/
public/login.jsp, queryString=null, name=null
23:29:11,136 DEBUG ApplicationDispatcher:381 - Path Based Forward
23:30:58,381 DEBUG ApplicationDispatcher:418 - Disabling the response
for futher output
23:31:35,471 DEBUG AuthenticatorBase:506 - Failed authenticate() test
Kind regards,
Marcel
--
Marcel Stör, http://www.frightanic.com
Blog: http://frightanic.wordpress.com
Couchsurfing: http://www.couchsurfing.com/people/marcelstoer
Skype: marcelstoer
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
