-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Papado,
On 12/21/2009 5:23 PM, vpapado wrote: > Thank you for fast reply. > I try everything. Open in different browser, etc. > But the whole login procedure seems to result to error from Tomcat when I > have my flash on the login.jsp page. > When I remove this flash everything seems to work OK. > Is there a possibility that j_security_check type of authentication > conflicts with flash swf file? Who knows... > > I know about the problem with re-authentication and I solved it in a way > that whenever a user goes to login.jsp page again (this means that there is > already a user loged in the current secured file system), then I > simultaneously log out the user with "session.invalidate();" and redirect > him to the same page where the user pressed "log-in button". This will cause > to automatic redirection to login.jsp page, since tomcat recognises that > there is no user loged-in at that moment. This causes successful > re-authentication. This seems to indicate that you were trying a "drive-by login" meaning that no request was previously made to a protected resource. The servlet specification is (strangely) very specific about calls to j_security_check for authentication: a request /must/ be made to a protected resource for the login page to be served to the user, and then authentication can proceed. Tomcat implements this specified behavior by returning a 404 for unexpected requests to j_security_check. Your hack works because it forces a request to a protected resource. - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAksyPq0ACgkQ9CaO5/Lv0PDP+wCeJA9rKgTntPTHS0YJpARWvbmI tkYAoJlEvX2igdHQS0lfUy07DzgGDAOj =cuOb -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
