Mark,
On 8/16/24 11:38, Mark Thomas wrote:
On 16/08/2024 16:16, Fernando wrote:
Hi all,
I need help with problem that I can't fix.
I am using Apache Tomee 8, but I know that Apache Tomee rest on Apache
Tomcat, in this case version 9.
My problem is when some user exit from application this forwa
On 16/08/2024 16:16, Fernando wrote:
Hi all,
I need help with problem that I can't fix.
I am using Apache Tomee 8, but I know that Apache Tomee rest on Apache
Tomcat, in this case version 9.
My problem is when some user exit from application this forward to login
page doing this:
HttpSession
original request that started it all, through the full login-error-new login
sequence.
-Original Message-
From: André Warnier [mailto:a...@ice-sa.com]
Sent: Sunday, December 01, 2013 4:05 PM
To: Tomcat Users List
Subject: Re: j_security_check error
J. Brian Hall wrote:
I’m
J. Brian Hall wrote:
I’m using Tomcat and a MySQL database that contains
usernames/passwords/roles for form-based authentication. Logging in with
correct username/password successfully directs to index.jsp (from
login.jsp). Logging in with incorrect username/password successfully
directs to err
2011/8/15 Chen Paz :
>
> Hi,
>
> I am using a servlet to intercept form based authentication in order to
> insert attribute into the request
What parameter do you want to insert into the request ?
I don't know, but maybe you can do the same with a custom realm
Or, using by Spring Security
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Chuck,
On 8/15/2011 9:49 AM, Caldarale, Charles R wrote:
>> From: Chen Paz [mailto:chen@expand.com] Subject:
>> j_security_check and RequestDispatcher forward
>
>> I am using a servlet to intercept form based authentication in
>> order to insert
Filter is not possible. AFAIK you can not use filter before j_security_check in
Tomcat...
-Original Message-
From: Caldarale, Charles R [mailto:chuck.caldar...@unisys.com]
Sent: Monday, August 15, 2011 4:50 PM
To: Tomcat Users List
Subject: RE: j_security_check and RequestDispatcher
> From: Chen Paz [mailto:chen@expand.com]
> Subject: j_security_check and RequestDispatcher forward
> I am using a servlet to intercept form based authentication in order
> to insert attribute into the request and then to redirect the request
> to j_security_check using RequestDispatcher.
I
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Papado,
On 12/21/2009 5:23 PM, vpapado wrote:
> Thank you for fast reply.
> I try everything. Open in different browser, etc.
> But the whole login procedure seems to result to error from Tomcat when I
> have my flash on the login.jsp page.
> When I r
Hello,
Indeed that was it!
I moved the flash into another folder that is not protected, and now it
works.
Thanks you!
Bye
vpapado wrote:
>
> Hello,
>
> I have a problem authenticating my users with j_security_check
> interworking with a flash on my login.jsp page.
>
> Here is how things go
On 21/12/2009 21:50, vpapado wrote:
Hello,
I have a problem authenticating my users with j_security_check interworking
with a flash on my login.jsp page.
Here is how things go:
I use j_security_check method to authenticate my users.
As a result, I have assigned a login.jsp page where I have a
Hello,
Thank you for fast reply.
I try everything. Open in different browser, etc.
But the whole login procedure seems to result to error from Tomcat when I
have my flash on the login.jsp page.
When I remove this flash everything seems to work OK.
Is there a possibility that j_security_check type
Try resetting your browser, meaning fully close it, or try from a
different browser. Same result? I sometimes get the exact same
"(/./j_security_check) is not available." when i have had my
browser open on the doc for while and re-authenticate. Same thing
happens on my cisco call manager when i
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Peibel,
On 12/15/2009 8:03 AM, peibel80 wrote:
>>> I have a web application (java,jsp) with j_security_check but the user
>>> that
>>> i use to authenticate need change por other in the Simpleprincipal for
>>> j_security_check store in the session as
Pid Ster wrote:
>
> On 15/12/2009 10:03, peibel80 wrote:
>>
>>
>> Hi,
>>
>> I have a problem.
>>
>> I have a web aplication (java,jsp) with j_security_check but the user
>> that
>> i use to authenticate need change por other in the Simpleprincipal for
>> j_security_check store in the session a
On 15/12/2009 10:03, peibel80 wrote:
Hi,
I have a problem.
I have a web aplication (java,jsp) with j_security_check but the user that
i use to authenticate need change por other in the Simpleprincipal for
j_security_check store in the session as the primary user.
Is posible?
I don't think
You should check to see if you are able to get the parameters when the
request(s) is send via a "get" vs. a "post".
--- On Wed, 5/6/09, Sanjay Manchiganti wrote:
From: Sanjay Manchiganti
Subject: Re: j_security_check/j_username/j_password issue in Tomcat Version
6.0.
request but when I do a
request.getParameter("j_username") or request.getParameter("j_password") in a
jsp I'm getting a null value back.
Thanks,
Sanjay.
From: "Caldarale, Charles R"
To: Tomcat Users List
Sent: Tuesda
> From: Sanjay Manchiganti [mailto:ms4san...@yahoo.com]
> Subject: j_security_check/j_username/j_password issue in Tomcat Version
> 6.0.18
>
> Did anything change in terms of j_securitycheck / container managed
> security between these two versions of tomcat?
What "two versions"? The only one yo
I looks like it has changed. I have the same problem getting parameters from
this page that have been submitted via a post. However, I think that maybe the
answer lies in the
valve "org.apache.catalina.authenticator.FormAuthenticator"
I'm sure that if you add the
you will get to the value
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Gregor,
On 3/13/2009 1:58 PM, Gregor Schneider wrote:
> So will I then be able to access the HttpSession-object created when
> inside HTTPS (login-page) when I'm querying it from within a JSP
> served via plain HTTP?
No, the session will be created i
Chris,
On Fri, Mar 13, 2009 at 5:14 PM, Christopher Schultz
wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> Gregor,
>
> On 3/13/2009 11:42 AM, Gregor Schneider wrote:
>> So would following scenario work?
>>
>> - login using form-based login via https
>>
>> - when successful:
>> Ht
Hi André,
first: Please forgive me my late answer also to your PM, however, I
was really busy here so that I didn't find any time to answer in an
appropriate (aka detailed) manner.
So here we go:
Customers
When talking about customers, I'm actually talking about our staff
from t
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Gregor,
On 3/13/2009 11:42 AM, Gregor Schneider wrote:
> So would following scenario work?
>
> - login using form-based login via https
>
> - when successful:
>HttpSession session = request.getSession();
>// guess that shoudln't happen
>
Chris,
On Fri, Mar 13, 2009 at 3:26 PM, Christopher Schultz
wrote:
>
> Just to be clear, it's the session creation that is sensitive to SSL,
> not the actual login (authentication step). If your session exists and
> is visible to non-secure communications before authentication, then it
> will als
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
André,
On 3/13/2009 10:38 AM, André Warnier wrote:
> Unless I am mistaken, I don't think that using HTTPS in order to protect
> the user-id/password from eavesdropping by some miscreant, you
> necessarily have to have a Verisign certificate for each s
Hi guys. I'm following this loosely, along with some other threads.
There is another one going on right now which also talks about
authentication, hijacking JSESSIONID etc..
Gregor, what is not very clear to me, and maybe you want to do a wrapup,
is what exactly you are - and are not - trying
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Chuck,
On 3/10/2009 3:24 PM, Caldarale, Charles R wrote:
>> From: Gregor Schneider [mailto:rc4...@googlemail.com]
>> Subject: j_security_check & SSL
>>
>> is there any way to achieve encryption for the
>> Login-process without a valid SSL-cert?
>
>
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Gregor,
On 3/10/2009 5:44 PM, Gregor Schneider wrote:
> Mark,
>
> On Tue, Mar 10, 2009 at 8:23 PM, Mark Thomas wrote:
>>
>> Ditch FORM auth, use DIGEST.
>>
> I'm afraid I don't see how to combine DIGEST with a Login-form - and
> that's a customer re
Mark,
On Tue, Mar 10, 2009 at 8:23 PM, Mark Thomas wrote:
>
> Ditch FORM auth, use DIGEST.
>
I'm afraid I don't see how to combine DIGEST with a Login-form - and
that's a customer request.
I know that SecurityFilter is quite a handy tool, however, that
doesn't support Tomcat's SSO-functionality
> From: Gregor Schneider [mailto:rc4...@googlemail.com]
> Subject: j_security_check & SSL
>
> is there any way to achieve encryption for the
> Login-process without a valid SSL-cert?
We normally use a self-signed certificate. That does pop up a browser message
to that effect, which might scare
Gregor Schneider wrote:
> And another one:
>
> AFAIK, when using Form-based Authentication, the parameters for
> j_security_check are send in a readable manner over the wire, thus
> prone for an attack.
Correct.
> Therefore, it is recommended to use SSL-encription for the Form-Loginpage.
Correct.
ould seem to be an improvement.
It is also used by 'industry professionals' and works perfectly well for me.
Am happy to be corrected if I'm wrong.
p
> Regards,
>
> Justin
>
> Here is an example:
>
>> Date: Wed, 7 Jan 2009 09:35:33 +0100
>> Fro
lier statements were incorrect, I encourage you to
provide another "better" working example. This one works for me and is used by
other industry professionals.
Regards,
Justin
Here is an example:
> Date: Wed, 7 Jan 2009 09:35:33 +0100
> From: rc4...@googlemail.com
> To: use
played content, (e.g. static or cached
> content), but if you want a secure site you've got to lock it down, from
> top to bottom.
In fact, in regard to the email example: I think I'd rather my email was
private actually, when I consider how many passwords/resets I ge
nt a secure site you've got to lock it down, from
top to bottom.
p
> Hope this helps.
>
> Justin
>
>> Date: Tue, 6 Jan 2009 19:01:24 -0200
>> From: diegogus...@gmail.com
>> To: users@tomcat.apache.org
>> Subject: Re: j_security_check with htt
Hi Justin,
On Wed, Jan 7, 2009 at 4:13 AM, Justin Randall wrote:
>
> Create a Filter subclass with the sole purpose of having its "doFilter"
> method call "sendRedirect" on the HttpServletResponse object. Map this
> Filter to the same URL pattern you use for SSL and make sure to use the
> ta
> From: Justin Randall [mailto:ran...@hotmail.com]
> Subject: RE: j_security_check with https
>
> There is a point of switching back to HTTP after HTTPS. From
> a server load perspective having to perform SSL computations
> for every single HTTP request can be a serious perfor
.
Hope this helps.
Justin
> Date: Tue, 6 Jan 2009 19:01:24 -0200
> From: diegogus...@gmail.com
> To: users@tomcat.apache.org
> Subject: Re: j_security_check with https
>
> this didnt work
>
>
>
>
>
>
My question is how to combine the form based authentication, where we use
"jsecuritycheck" , "jusername" etc with https.
As far as I know if we use form based authentication username and
password will be authenticated by the container managed resource
called 'jsecuritycheck". But the data transfer
Gregor Schneider wrote:
> On Tue, Jan 6, 2009 at 9:13 PM, Diego Armando Gusava
> wrote:
>> no man, example, email
>>
>> when u login, your username and password will be transport https, but
>> after that, you are in http! u dont need https because, you are only
>> reading messages(emails)
>>
>
>
if i try /login/login.jsp work, but when i try an action and
has restrict access, and havent user logged, tomcat redirect to login
page with http !!!
2009/1/6 Caldarale, Charles R :
>> From: Diego Armando Gusava [mailto:diegogus...@gmail.com]
>> Subject: Re: j_se
> From: Diego Armando Gusava [mailto:diegogus...@gmail.com]
> Subject: Re: j_security_check with https
>
> when u login, your username and password will be transport https, but
> after that, you are in http! u dont need https because, you are only
> reading messages(emails)
On Tue, Jan 6, 2009 at 9:13 PM, Diego Armando Gusava
wrote:
> no man, example, email
>
> when u login, your username and password will be transport https, but
> after that, you are in http! u dont need https because, you are only
> reading messages(emails)
>
Then just phrase your url-pattern in y
no man, example, email
when u login, your username and password will be transport https, but
after that, you are in http! u dont need https because, you are only
reading messages(emails)
2009/1/6 Caldarale, Charles R :
>> From: Diego Armando Gusava [mailto:diegogus...@gmail.com]
>>
> From: Diego Armando Gusava [mailto:diegogus...@gmail.com]
> Subject: Re: j_security_check with https
>
> when i try to access mySecurePath for example, tomcat show me a login
> page with https but after that i dont need for example be with https,
> because i only need to send
"orm Based Authentication has the same lack of security as Basic
Authentication since the user password is transmitted as plain text
and the target
server is not authenticated. Again additional protection can alleviate
some of these
concerns: a secure transport mechanism (HTTPS)."
i want " secure
let me explain
when i try to access mySecurePath for example, tomcat show me a login
page with https but after that i dont need for example be with https,
because i only need to send protected username and password.
i want to only need login.jsp with https!!
2009/1/6 Pid :
> Diego Armando Gusa
Diego Armando Gusava wrote:
> i dont know how to request j_security_check on https!
>
> i attemped http://wiki.apache.org/tomcat/SSLWithFORMFallback but didnt work
I think the above attempts to find an SSL cert, but falls back to FORM
auth. Which isn't perhaps what you want?
>
>
i dont know how to request j_security_check on https!
i attemped http://wiki.apache.org/tomcat/SSLWithFORMFallback but didnt work
/login.do
/login/loginError.jsp
tomcat redirect to Http!
c
Gregor Schneider wrote:
> Hi there,
>
> I'm just wondering one thing:
>
> When using formbased authentication within Tomcat aka
> j-security_check, the credentials are sent over the wire.
>
> No problem when using SSL, however, when using a simple HTTP-request,
> I figure that this scenario migh
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Martin,
Martin Dubuc wrote:
> I will describe the browser interactions with regards to the access logs.
Thanks, this was helpful.
> My assumption is that clicking on OK caused the client to be
> redirected to sessionTimeout.jsf.
I think you mean th
Christopher,
I will describe the browser interactions with regards to the access logs.
At 17:13:06, the user accessed the main.jsf page. The session timeout for
the application is 1 minute. The main.jsf page has meta tag that redirectes
to sessionTimeout.jsf after 1 minute. The main.jsf page also
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Martin,
Martin Dubuc wrote:
> I finally managed to get the sessions to time out after 1 minute.
What did you have to change?
> Here is the security-constraint definition:
>
>
>
> Page constraints for users
I finally managed to get the sessions to time out after 1 minute. This makes
it much easier for testing purposes! I style get the exception however.
Here is the security-constraint definition:
Page constraints for users
/index.htm
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Martin,
Martin Dubuc wrote:
> I am not sure I understand exactly why, but it seems to me that, although
> the sessionTimeout.jsp page is not protected, if the user responds to
> "Navigate away" prompt after Tomcat removes the session from the session
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Gregor,
Gregor Schneider wrote:
> Hi Chris,
>
> On Tue, Dec 2, 2008 at 4:13 PM, Christopher Schultz
> <[EMAIL PROTECTED]> wrote:
>> For Securityfilter's next version, we are attempting to make it easy to
>> implement it as a Tomcat Valve, which shoul
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Gregor,
Gregor Schneider wrote:
> The link looks like this:
>
> src="../snbulletopen.gif" border="0" align="absmiddle"> Medizin
>
> As you can see, in this menue there's always the target (the inner
> frame) specified.
>
> However, j_security_chec
Hi Chris,
On Tue, Dec 2, 2008 at 4:13 PM, Christopher Schultz
<[EMAIL PROTECTED]> wrote:
>
> For Securityfilter's next version, we are attempting to make it easy to
> implement it as a Tomcat Valve, which should allow things like SSO.
>
Do you have any information when this next version will be av
Hi Chris,
On Tue, Dec 2, 2008 at 3:51 PM, Christopher Schultz
<[EMAIL PROTECTED]> wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
>
>> Now if the session times out, the user clicks on the menue, the url
>> requested is the source of the IFrame.
>
> This shouldn't be the case: the URL re
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Mikolaj,
Mikolaj Rydzewski wrote:
> You can try to use securityfilter (and deal with AA on your (or
> securityfilter's) own), or implement tomcat-specific solution using
> Valves.
For Securityfilter's next version, we are attempting to make it easy t
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Gregor,
Gregor Schneider wrote:
> However, if you have a webapp working with frames, this scenario does not
> work.
>
> Imagine a webpage having this structure:
[snip]
> Now if the session times out, the user clicks on the menue, the url
> request
Gregor Schneider wrote:
- the bad news: Since SecurityFilter does not support SingleSignOn,
looks that I'm not able to use it without adapting the code.
Another thought: Might a customized JAAS-implementation be a solution?
Since I haven't been dealing with JAAS yet - does anybody know a good
s
Hi Mikolaj,
On Mon, Dec 1, 2008 at 1:50 PM, Mikolaj Rydzewski <[EMAIL PROTECTED]> wrote:
>
> Try http://securityfilter.sourceforge.net/
>
- the good news: Your karma has grown
- the bad news: Since SecurityFilter does not support SingleSignOn,
looks that I'm not able to use it without adapting
Gregor Schneider wrote:
Now enlarge your personal karma and be so kind to post some
suggestions, please ;)
Try http://securityfilter.sourceforge.net/
--
Mikolaj Rydzewski <[EMAIL PROTECTED]>
-
To start a new topic, e-mail:
... or simply switch to BASIC auth-method.
Rossen
- Original Message -
From: "Christopher Schultz" <[EMAIL PROTECTED]>
To: "Tomcat Users List"
Sent: Thursday, September 25, 2008 6:42:40 PM GMT -05:00 US/Canada Eastern
Subject: Re: j_security_check requires sess
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Paul,
[EMAIL PROTECTED] wrote:
> It seems that tomcat expects that I already have a session established
> before posting the username and password. If I don't already have a
> JSESSIONID cookie, j_security_check returns a 408.
This behavior adheres
[EMAIL PROTECTED] wrote:
> I am having a problem posting credentials to j_security_check for
> form-based authentication.
>
> It seems that tomcat expects that I already have a session established
> before posting the username and password. If I don't already have a
> JSESSIONID cookie, j_securi
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Tokajac,
Tokajac wrote:
> Now, i want to check another column on login: userstatus. Value of the
> column can be 0 or 1. Only users with correct username and status 1 can
> login.
>
> How can i do this with j_security_check?
Mark's suggestion of usi
Tokajac wrote:
> Hello!
>
> For Connection on database i initialize in context.xml:
> [CODE]
> driverName="com.Driver"
> connectionURL="jdbc:url"
> connectionName="CONNAME" connectionPassword="CONPASS" userTable="BFWBBUSR"
> userNameCol="LOGINNM" userCredCol="USRPASS"
> userRoleTable="BF
thanks Christopher,
I found another solution, I use a custom class UserPricipal with userName
and userId parameter, when the user is autheticated, I populate userId. on
the servlet,
I get the UserPrincipal object from the request.
best regards!
Christopher Schultz-2 wrote:
>
> -BEGIN PG
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
lmk,
lmk wrote:
> Im using form based jaas authentication, I have to call a stored procedure
> with the user name and password to ininitialize some business objects!
>
> how can I get the password on the j_security_check request?
>
> can we use se
session.invalidate();
doesn't seems to be enough
Regards
--
View this message in context:
http://www.nabble.com/j_security_check-Tomcat-bad-redirection-tp19047465p19047484.html
Sent from the Tomcat - User mailing list archive at Nabble.com.
--
<[EMAIL PROTECTED]> wrote:
> From: Carlos Morales <[EMAIL PROTECTED]>
> Subject: Re: j_security_check
> To: "Tomcat Users List"
> Date: Wednesday, August 6, 2008, 5:52 PM
> I have my login and password to access onto my web which I
> try to go after auth
In my conf folder inside of my Tomcat directory in my server.xml I have this:
- Mensaje original
De: Carlos Morales <[EMAIL PROTECTED]>
Para: Tomcat Users List
Enviado: miércoles, 6 de agosto, 2008 19:52:36
Asunto: Re: j_security_check
I have my login and passw
and I don't know why
when I try to log on, it doesn't work and it doesn't go to the next page which
I try to access.
Thanks
- Mensaje original
De: Christopher Schultz <[EMAIL PROTECTED]>
Para: Tomcat Users List
Enviado: miércoles, 6 de agosto, 2008 19:19:11
As
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Carlos,
Carlos Morales wrote:
| I'm having problems with j_security_check because when I try to log
| in my login.jsp it doesn't work and I don't know why.
Care to elaborate?
- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.9 (MingW32)
Co
Thanks much. I swapped calls 1 & 3, it works just fine.
- Original Message
From: Pid <[EMAIL PROTECTED]>
To: Tomcat Users List
Sent: Sunday, February 3, 2008 3:33:35 PM
Subject: Re: j_security_check
The second POST should still occur, but it should occur after the
init
pare just the URL strings?
- Original Message
From: Konstantin Kolinko <[EMAIL PROTECTED]>
To: Tomcat Users List
Sent: Sunday, February 3, 2008 9:39:41 AM
Subject: Re: j_security_check
You do
1) GET call
int_result = httpClient.executeMethod( getMethod );
The server c
You may look into FormAuthenticator.java of package
org.apache.catalina.authenticator and see it with your own eyes.
2008/2/3, Ashok Venkat <[EMAIL PROTECTED]>:
> Thanks for the detailed explanation, as you mentioned it seems that the
> second request is being ignored ,but i am not clear how com
?
- Original Message
From: Konstantin Kolinko <[EMAIL PROTECTED]>
To: Tomcat Users List
Sent: Sunday, February 3, 2008 9:39:41 AM
Subject: Re: j_security_check
You do
1) GET call
>int_result = httpClient.executeMethod( getMethod );
The server caches your request and returns html
You do
1) GET call
> int_result = httpClient.executeMethod( getMethod );
The server caches your request and returns html page that contains the
login form.
2) POST call
> postMethod = new PostMethod(
> "https://localhost:8444/j_security_check"; );
> int_result
Tough to say without seeing the source..
Can we see the code for GetMethod.java ?
Can we see the code for PostMethod.javaMartin
__Disclaimer and confidentiality
noteEverything in this e-mail and any attachments relates to the official
business of Send
Ashok Venkat wrote:
Hi,
I have the following code in a scheduler class, which is trying to
invoke a servlet
String url = "https://localhost:8444/servlet/TestServlet";;
// Get HTTP client instance
HttpClient httpClient = new HttpClient();
// Create H
Nicholas Sushkin wrote:
> On Thursday 08 November 2007, you wrote:
>
>> The question I had was what happens when you directly request the login
>> form and successfully login.
>
> Tomcat will give you an error page saying something along the lines "the
> login page was accessed directly". It wo
On Thursday 08 November 2007, you wrote:
> The question I had was what happens when you directly request the login
> form and successfully login.
Tomcat will give you an error page saying something along the lines "the
login page was accessed directly". It won't let you login successfully.
Tom
PROTECTED]
(office) 225.578.3737
-Original Message-
From: Christopher Schultz [mailto:[EMAIL PROTECTED]
Sent: Thursday, November 08, 2007 3:07 PM
To: Tomcat Users List
Subject: Re: j_security_check redirect after login
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Andrew,
Andrew R Feller
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Andrew,
Andrew R Feller wrote:
> I'm sorry but maybe I am reading a different version of the servlet
> specification than you: it only explains the case where you access a
> container-managed resource and then login.
That would be the only case cov
> From: Andrew R Feller [mailto:[EMAIL PROTECTED]
> Subject: RE: j_security_check redirect after login
>
> I'm sorry but maybe I am reading a different version of the servlet
> specification than you: it only explains the case where you access a
> container-managed resourc
ect.
-Original Message-
From: Andrew R Feller [mailto:[EMAIL PROTECTED]
Sent: Thursday, November 08, 2007 2:42 PM
To: Tomcat Users List
Subject: RE: j_security_check redirect after login
Christopher,
I'm sorry but maybe I am reading a different version of the servlet
specification t
rts of the
container that are protected, but it's likely they would get this error if they
tried to do what you're describing below.
-Original Message-
From: David Smith [mailto:[EMAIL PROTECTED]
Sent: Thursday, November 08, 2007 1:45 PM
To: Tomcat Users List
Subject: Re: j_security_
tate University
[EMAIL PROTECTED]
(office) 225.578.3737
-Original Message-
From: Christopher Schultz [mailto:[EMAIL PROTECTED]
Sent: Thursday, November 08, 2007 1:40 PM
To: Tomcat Users List
Subject: Re: j_security_check redirect after login
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
An
---
From: Reich, Matthias [mailto:[EMAIL PROTECTED]
Sent: Thursday, November 08, 2007 12:08 PM
To: Tomcat Users List
Subject: RE: j_security_check redirect after login
You should also have a look at
/org/apache/catalina/authenticator/FormAuthenticator.java
In this class you can find the de
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Andrew,
Andrew R Feller wrote:
> 3. It is unclear what happens in the event when a user requests the
> form-
>login-page directly instead of going through a container-managed
>resource.
>
>How does j_security_check know where to redirect
-Original Message-
From: Reich, Matthias [mailto:[EMAIL PROTECTED]
Sent: Thursday, November 08, 2007 12:08 PM
To: Tomcat Users List
Subject: RE: j_security_check redirect after login
You should also have a look at
/org/apache/catalina/authenticator/FormAuthenticator.java
In this class you
riginal Message-
From: Caldarale, Charles R [mailto:[EMAIL PROTECTED]
Sent: Thursday, November 08, 2007 6:02 PM
To: Tomcat Users List
Subject: RE: j_security_check redirect after login
> From: Andrew R Feller [mailto:[EMAIL PROTECTED]
> Subject: j_security_check redirect after login
>
>
You never directly call j_security_check. Here's how the process flow
works:
1. browser attempts to load a protected page
2. tomcat saves the request and redirects the client to j_security_check
for authentication
3. on successful authentication, tomcat restores the original request.
So basi
> From: Andrew R Feller [mailto:[EMAIL PROTECTED]
> Subject: j_security_check redirect after login
>
> How does j_security_check know where to redirect users to after they
> have logged in?
Read the servlet spec; to quote from SRV.12.5.3.1:
"If the form based login is invoked because of an HTTP
actually the issue was happening whenever i closed down jboss and restarted
it and tried to access a protected page. i determined the issue was because
there was a cached copy of one of the pages, so i set the headers on all my
jsp's (including the login jsp) to not allow caching and now the erro
I'm suspecting you either link to /j_security_check or manually forward
there from your pages. Pages in your web project shouldn't ever link to
it except the login form and even then only in the action attribute of
the form tag. Tomcat will take control when it sees a client trying to
access
1 - 100 of 111 matches
Mail list logo
