On 23/09/2010 13:04, Martin O'Shea wrote: > Apologies re the duplicate posting; email trouble with my ISP. > > Relevant part of web.xml reads: > > <security-constraint> > <display-name>Security Constraint</display-name> > <web-resource-collection> > <web-resource-name/> > <description/> > <url-pattern>/login</url-pattern> > </web-resource-collection> > <!--auth-constraint> > <role-name>USER</role-name> > <role-name>ADMIN</role-name> > </auth-constraint--> > </security-constraint> > <login-config> > <auth-method>FORM</auth-method> > <form-login-config> > > <form-login-page>/jsp/security/protected/login.jsp</form-login-page> > > <form-error-page>/jsp/security/protected/error.jsp</form-error-page> > </form-login-config> > </login-config>
So you've protected just the /login URL, meaning that authentication will be required before accessing that URL which probably checks the DB for a username or something. The config above doesn't do what you probably think it does; you've got half a container managed authentication solution and half a roll-your-own. > At the moment I am trying things manually by checking the user table > regardless of Tomcat but is this necessary? Not if you configure it properly. I'll guess that you're using Tomcat 6.0.29 and suggest that you find and read the Servlet Spec v2.5, Section SRV.12.1 paying particular attention to paragraphs which mention 'j_security_check'. Have you configured a Realm (usually a DataSourceRealm)? http://tomcat.apache.org/tomcat-6.0-doc/realm-howto.html p > -----Original Message----- > From: Pid [mailto:p...@pidster.com] > Sent: 23 Sep 2010 12 57 > To: Tomcat Users List > Subject: Re: Use of error page in Tomcat > > On 23/09/2010 12:22, Martin O'Shea wrote: >> Hello >> >> I have a /myApp/displayDatasetPage which is used to display content. >> In this page, I incorporate the default Tomcat login code as follows: >> >> <div id = "login"> >> <form action='<%= response.encodeURL("/myApp/loginPage") > %>' >> method = "post"> >> <table border = "0"> > > Tables for layout. How very 1997. > >> <tr> >> <th align = "right">Username</th> >> <td align = "left"><input type = "text" >> name = "userName"></td> >> </tr> >> <tr> >> <th align = "right">Password</th> >> <td align = "left"><input type = >> "password" name = "password"></td> >> </tr> >> <tr> >> <td align = "right"><input type = "submit" >> value = "Log In"></td> >> <td align = "left"><input type = "reset"></td> >> </tr> >> </table> >> </form> >> </div> > > How is this 'the default Tomcat logic code'? > >> And path /myApp/loginPage is protected in web.xml. > > How is it protected in web.xml? > >> This seems to be alright >> but if a user doesn't enter login details, or enters incorrect login >> details, and then presses 'Log in' the page simply reloads. I am >> assuming that this is because I have no login error page working >> alongside use /myApp/displayDatasetPage to catch login exceptions. > > You tell us. You haven't posted your web.xml, so we can't know. > >> Is it possible to use /myApp/displayDatasetPage to display login >> errors? Or can anyone say tell me if I catch Tomcat's login >> verification process to do this? > > If you're using the Servlet Specification container managed authentication > mechanism, it's possible. It doesn't look like you are though. > > If you've written your own login component, you can of course make that > happen too. > >> Thanks >> >> Mr Morgan. > > Are you Martin O'Shea or Mr Morgan? I'm confused. > > > p > > P.S. Please send one message to the list and then wait for a response. > Two messages in 30 mins is a little pushy. > > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org >
0x62590808.asc
Description: application/pgp-keys
signature.asc
Description: OpenPGP digital signature
