En l'instant précis du 30/03/07 11:20, Kenneth Westelinck s'exprimait en ces termes: > Hi all, > > I have the following setup: > - Tomcat 5.5 install on win32, webapps reside underneath webapps/ROOT. > http://localhost/ shows me index.jsp > - Next I have enabled JDBC realm authentication > (webapps/ROOT/WEB-INF/web.xml). > <security-constraint> > <web-resource-collection> > <web-resource-name>/</web-resource-name> > <description>pages which require login</description> > <url-pattern>/*</url-pattern> > <http-method>DELETE</http-method> > <http-method>GET</http-method> > <http-method>POST</http-method> > <http-method>PUT</http-method> > </web-resource-collection> > <auth-constraint> > <description>Must authenticate before querying the > system</description> > <role-name>role1</role-name> > </auth-constraint> > <user-data-constraint> > <transport-guarantee>NONE</transport-guarantee> > </user-data-constraint> > </security-constraint> > > <login-config> > <auth-method>FORM</auth-method> > <realm-name>jdbc/AuthDB</realm-name> > <form-login-config> > <form-login-page>/login.jsp</form-login-page> > <form-error-page>/error.jsp</form-error-page> > </form-login-config> > </login-config> > > <security-role> > <description>Any user of the system</description> > <role-name>role1</role-name> > </security-role> > - I am using a form to login. Here's the code for login.jsp: > <html> > <head> > <title>Login Page for Examples</title> > <body bgcolor="white"> > <form method="POST" action='<%= response.encodeURL("j_security_check") > %>' > > <table border="0" cellspacing="5"> > <tr> > <th align="right">Username:</th> > <td align="left"><input type="text" name="j_username"></td> > </tr> > <tr> > <th align="right">Password:</th> > <td align="left"><input type="password" name="j_password"></td> > </tr> > <tr> > <td align="right"><input type="submit" value="Log In"></td> > <td align="left"><input type="reset"></td> > </tr> > </table> > </form> > </body> > </html> > > This works like a charm. Well, almost ;) > If I'm using firefox (1.5 or 2.0.0.x) and login to http://localhost/ > using > user X's credentials. I get access to the page > http://localhost/index.jsp. > Which is good. If I use user Y's credentials then I get redirected to > favicon.ico (wtf?). If I use internet explorer, the user is always > redirected to index.jsp. > I have absolutely no idea why this is happening, so if someone can shed a > light on this or give me some hints, this would very much be appreciated. > Thanks! > What i suppose is happening: Browser request / Tomcat sends the content of login form and store in session you tried to get / Browser show form and, behind the scene, request the /favicon.ico from server Tomcat sends the content of login form as content of favicon.ico and store in session you tried to get /favicon.ico You submit form (you login) Tomcat check credential then goes in your session to check which age you asked for (/favicon.ico) Tomcat redirect you to /favicon.ico
I'll say, this is partially the browser's fault. It works with IE <7 because those versions of IE where only downloading the favicon.ico during bookmarking. Workaround includes - moving away your webapp from the ROOT , this way favicon won't be asked in your webapp but in ROOT (may be a design issue for you) - create a valve that you include to tomcat and refuses all attempts at accessing a faicon.ico before it reach the webapplication logic. (This way you won't pollut your authentification with them) - reorganise your security layout such that /favicon.ico does not need authentification - foul the browser by setting, in you login page, a |<link rel="shortcut icon" href="http://<yourhost>/dumb/favicon.png" type="image/png"> |and create a 'dump' webapplication --------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
