Martin Gainty wrote: > please display non-proprietary attributes of HTTPS (Port 8443 or 443) > Connector element values from %TOMCAT_HOME%/conf/server.xml
OP: Don't attempt to decipher or respond to the above, it's a red herring. You could instead tell us exactly which 6.x you are using and on which OS. There's a couple of things that may be confusing the config below, which have some simple corrections. I usually place "login.jsp" and "error.jsp" in "WEB-INF/login/", where they are protected from unwanted attention by default - this avoids the need to protect them with a security-contstraint. You are also protecting "index.jsp" - which will force a login when the apps homepage is accessed, is this what you intended? Are you logging out programmatically, using the servlet method request.getSession().invalidate(), or are you just clearing cookies? Your primary problem sounds like you have placed some CSS or script files somewhere in a protected directory and the browser is requesting them without providing the correct authentication credentials. Tomcat returns the *first* file you requested inside the secured area after authentication is completed. So for some reason your browser is requesting a script or CSS file before the JSP page. Are the script and CSS files in an unprotected directory? p > Disclaimer and confidentiality note > Everything in this e-mail and any attachments relates to the official > business of Sender. This transmission is of a confidential nature and Sender > does not endorse distribution to any party other than intended recipient. > Sender does not necessarily endorse content contained within this > transmission. > > > > >> Date: Tue, 13 Jan 2009 17:03:08 -0800 >> From: sams...@gmail.com >> To: users@tomcat.apache.org >> Subject: Tomcat 6.x security-constraint redirection problem... please help! >> >> >> I have defined two roles (admin, user) >> >> <security-role> >> <role-name>user</role-name> >> </security-role> >> <security-role> >> <role-name>administrator</role-name> >> </security-role> >> >> each of these roles needs to access into separate modules in my webapp. For >> achieving this, I have the following security-constraint in tomcat web.xml: >> >> <security-constraint> >> <web-resource-collection> >> <web-resource-name>Authorized Access Area</web-resource-name> >> <url-pattern>/index.jsp</url-pattern> >> <url-pattern>/login.jsp</url-pattern> >> <url-pattern>/error.jsp</url-pattern> >> <url-pattern>/app1/*</url-pattern> >> <url-pattern>*.jsp</url-pattern> >> </web-resource-collection> >> <auth-constraint> >> <role-name>user</role-name> >> </auth-constraint> >> </security-constraint> >> >> <security-constraint> >> <web-resource-collection> >> <web-resource-name>Authorized Access Area</web-resource-name> >> <url-pattern>/index.jsp</url-pattern> >> <url-pattern>/login.jsp</url-pattern> >> <url-pattern>/error.jsp</url-pattern> >> <url-pattern>/app2/*</url-pattern> >> </web-resource-collection> >> <auth-constraint> >> <role-name>administrator</role-name> >> </auth-constraint> >> </security-constraint> >> >> consider the following steps: >> >> 1. Access context/app1/app1action.jsp URL >> 2. I get prompted for credentials >> 3. I login as normal user, and on successful login I get redirected to >> app1action.jsp page (desired behavior) >> 4. Now, I clear my cache & sessions authentication from browser (firefox) >> 4. Browse into some link in app1action.jsp page pointing to some other page >> eg. context/app1/anotherpage.jsp >> 5. Now I get prompted to relogin >> 6. On successful login, I expect myself to get redirected to >> 'anotherpage.jsp'. But instead it redirects me to the resources ( JS / img / >> css ) that are included with in 'anotherpage.jsp' . eg. >> context/resources/sample.js or sample.css or sample.gif .... >> >> I spent googling on this issue for couple of days with no luck. >> >> Can you please advise how to get properly redirected ? >> >> ~ Many Thanks >> >> >> -- >> View this message in context: >> http://www.nabble.com/Tomcat-6.x-security-constraint-redirection-problem...-please-help%21-tp21448079p21448079.html >> Sent from the Tomcat - User mailing list archive at Nabble.com. >> >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org >> > > _________________________________________________________________ > Windows Liveā¢: Keep your life in sync. > http://windowslive.com/explore?ocid=TXT_TAGLM_WL_t1_allup_explore_012009 --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
