Hi,
I am having a problem with Tomcat - if I log on to a page which contains a
restricted resource, it shows me the page (and any unrestricted images, etc),
but doesn't show the restricted resource (I believe tomcat thinks the user is
not authenticated as sends the 403 page, judging by the 3478b size of the
request). When I move on to another page (or reload the same page) I am sent to
the logon screen again, after I logon from here everything works as it should.
The protected resource is some javascript, it is dynamically created as it
varies from user to user.
This happens on Tomcat 6.0.24 and 6.0.26, but not 6.0.20, which makes me think
it is related to change 45255 (Provide protection against session fixation by
changing session ID automatically on authentication.), in the dev environment
tomcat is running on windows XP. Session tracking is done by cookie, not URL
rewriting.
Below is a(n abridged) snapshot of the access log, the last field is the cookie
sent by the browser
dataservlet1, dataservlet2 and javascriptservlet are restricted to logged on
users, nothing under /frontend has any security constraints.
The sequence of events, from the browser end is
(1) A request is made to dataservlet1
(2) The user logs in (and tomcat rewrites the cookie)
(3) Is forwarded to the dataservlet1 page, frontend resources are displayed,
but the javascriptservlet is not, as it has been requested with the old cookie
(this happens on ie and firefox, so doesn't appear to be a browser issue), the
apparent attempt to logon for the javascriptservlet also throws another cookie
into the mix
(4) Another page is requested
(5) The user is sent to the login page
(6) They log in again (getting a third cookie), and from this point everything
is ok
#Fields: c-dns x-H(remoteUser) date time x-H(protocol) cs-method cs-uri
sc-status bytes x-H(requestedSessionId)
#Version: 2.0
#Software: Apache Tomcat/6.0.26
(1)
localhost - 2010-04-08 12:25:33 'HTTP/1.1' GET
/dataservlet1?timestamp=1205168884309 200 3478 -
localhost - 2010-04-08 12:25:33 'HTTP/1.1' GET /frontend/images/image1.gif 200
125 '6A193109AA'
(2)
localhost - 2010-04-08 12:25:42 'HTTP/1.1' POST /j_security_check 302 -
'6A193109AA'
localhost - 2010-04-08 12:25:42 'HTTP/1.1' POST /j_security_check 302 -
'6A193109AA'
(3)
localhost 'user75' 2010-04-08 12:25:46 'HTTP/1.1' GET
/dataservlet1?timestamp=1205168884309 200 22904 '949F3A1AED'
localhost - 2010-04-08 12:25:46 'HTTP/1.1' GET /frontend/includes/functions.js
200 917 '6A193109AA'
localhost - 2010-04-08 12:25:46 'HTTP/1.1' GET
/javascriptservlet?request=common.js 200 3478 '6A193109AA'
localhost - 2010-04-08 12:25:50 'HTTP/1.1' GET /frontend/images/global/logo.gif
200 2393 'DE52CCEEE3'
(4)
localhost - 2010-04-08 12:26:04 'HTTP/1.1' GET
/dataservlet2?timestamp=1270729564199 200 3478 'DE52CCEEE3'
localhost - 2010-04-08 12:26:04 'HTTP/1.1' GET /frontend/images/image2.gif 200
125 'DE52CCEEE3'
(5)
localhost - 2010-04-08 12:26:07 'HTTP/1.1' POST /j_security_check 302 -
'DE52CCEEE3'
localhost - 2010-04-08 12:26:07 'HTTP/1.1' POST /j_security_check 302 -
'DE52CCEEE3'
(6)
localhost 'user75' 2010-04-08 12:26:09 'HTTP/1.1' GET /frontend/global.css 200
3032 'D2092750B2'
localhost 'user75' 2010-04-08 12:26:09 'HTTP/1.1' GET
/dataservlet2?timestamp=1270729564199 200 22921 'D2092750B2'
localhost 'user75' 2010-04-08 12:26:09 'HTTP/1.1' GET
/frontend/includes/functions.css 200 9707 'D2092750B2'
localhost 'user75' 2010-04-08 12:26:09 'HTTP/1.1' GET
/javascriptservlet?request=common.js 200 5237 'D2092750B2'
Other than moving the dynamically generated javascript into the main body of
the page, is there a way I can stop this from happening?
Terry
_______________________________________
The information contained in this message is confidential and is intended for
the addressee only. If you have received this message in error or there are any
problems please notify the originator immediately.
The unauthorised use, disclosure, copying or alteration of this message is
strictly forbidden. This mail and any attachments have been scanned for viruses
prior to leaving the Dancerace network.
Dancerace plc will not be liable for direct, special, indirect or consequential
damages arising from the alteration of the contents of this message by a third
party or as a result of any virus being passed on.
Dancerace plc reserve the right to monitor and record e-mail messages sent to
and from this address for the purpose of investigating or detecting any
unauthorised use of its system and ensuring its effective operation.
_____________________________________________________________________
This message has been checked for all known viruses by UUNET delivered
through the MessageLabs Virus Control Centre. For further information visit
http://www.uk.uu.net/products/security/virus/
****** Message from InterScan VirusWall 6 ******
** No virus found in attached file noname.htm
** No virus found in attached file noname.htm
InterScan VirusWall 6 has scanned this message and found it to be free of known
viruses.
***************** End of message ***************
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
