I'm having problems with Tomcat 5.5.x, Apache 2.2.0, and mod_proxy_ajp and resources that are protected with a security-constraint. (This is after updating from Apache 2.0.54, Tomcat 5.0.27, and mod_jk2, where the same configuration worked fine.)

The issues are different depending on the version of Tomcat.

In Tomcat 5.5.12, POST requests fail if a client does not have a session established (for example, the session has timed out) and the auth-method is FORM. The client is presented with the login form via j_security_check and passed to the correct servlet, but there are no request headers and no form data in the request. (My servlet tries to log them -- nothing there.) This can be reproduced in Firefox and Internet Explorer, so I don't think it's the browser. If I change the configuration to BASIC authentication, it works correctly. If the client has a session established, either method works OK. This problem seems to be resolved in Tomcat 5.5.16.

BUT ...

In Tomcat 5.5.16, if the client tries to retrieve a PDF document protected by a security-constraint and does not have a session established, an error is reported. (Once logged in, there is no problem.) If the auth-method is FORM, the document is retrieved but Acrobat reports: "Acrobat could not open 'abc.pdf' because it is either not a supported file type or because the file has been damaged (for example, it was sent as an email attachment and wasn't correctly decoded)." If the auth-method is BASIC, the login box is never displayed at all. This problem did not occur with Tomcat 5.5.12 (using the same PDFs and browser).

Does anyone have a similar configuration working? Recommendations?

Debra Bartling
Earthquake Engineering Research Center
University of California, Berkeley


---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to