Re: Programatic JAAS login in Tomcat 6.0.26!

Thu, 20 Jan 2011 09:25:54 -0800 

 Hi Mikolaj and Mark, 


  Thanks for the replay. The problem is that I read the specifications and I 
still don't know how to push the login details 
and the request for the main page in one call. 
   The fact is that I need to open a browser from a swing app with the main 
page 
for my other application(that uses JAAS) programatic.  So the real problem is 
how do push the request from the swing app to open an browser with an 
authenticated user and the main page from my other app. Because as  I already 
said I cannot push to the application that uses JAAS my login credentials and 
the request to my main app. So I push the credentials as I already said but 
HTTP 
Status 400 - Invalid direct reference to form login page because I have no 
initial request with my main page, so that Tomcat can restore it.
   I cannot use JSP, my login page is a simple html page.




Thanks a lot for your time!

 


________________________________
From: Mikolaj Rydzewski <m...@ceti.pl>
To: Tomcat Users List <users@tomcat.apache.org>
Sent: Thu, January 20, 2011 5:53:04 PM
Subject: Re: Programatic JAAS login in Tomcat 6.0.26!


On Thu, 20 Jan 2011 15:16:15 +0000, Mark Thomas <ma...@apache.org> wrote:

> Read up on FORM auth in the Servlet spec. There is a specific sequence
> of events that looks roughly like (for a successful auth):
> 
> 1. Browser sends original request
> 2. Server saves request, creates session and responds with login page
> 3. Browser sends login details to server
> 4. Server validates login details
> 5. Server restores saved request and processes it
> 6. Server sends response to original request to browser.

Hi Mark,

That explains problem some people complain about:
When you invalidate session in second step, server is not able to restore 
previous request and leaves user with the same login form with URL 
/j_security_check. Real problem is, that now cryptic error appears: HTTP Status 
400 - Invalid direct reference to form login page.
It's enough for user to open login form page, wait until session invalidates 
due 
to inactivity time, then try to login.
One solution is to use HttpSession.isNew() check on login JSP page and perform 
redirect to e.g. to main page.

-- Mikolaj Rydzewski <m...@ceti.pl>

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to