On 23/09/2010 13:27, Martin O'Shea wrote: > I'm currently using a DataSourceRealm and Tomcat 6.0.20.
Well, you aren't actually using the DSR because your config is wrong. Why use 6.0.20 when 6.0.29 is out? > So if I wanted to pick up an error that Tomcat's authentication throws, how > best can I do it to avoid manual verification of the user (which is now > working adequately when I check the database)? Stop trying to solve the little problem you think you're stuck on and start paying attention to the massive problem you're ignoring. Your login form is simply not going to work, it doesn't point to the right URL, doesn't send the correct parameters and your web.xml config is wrong. I could elaborate but it would be much easier if you actually read my emails more carefully, and read the Servlet Spec - given that it's already explained long-hand there. p > -----Original Message----- > From: Pid [mailto:p...@pidster.com] > Sent: 23 Sep 2010 13 17 > To: Tomcat Users List > Subject: Re: Use of error page in Tomcat > > On 23/09/2010 13:04, Martin O'Shea wrote: >> Apologies re the duplicate posting; email trouble with my ISP. >> >> Relevant part of web.xml reads: >> >> <security-constraint> >> <display-name>Security Constraint</display-name> >> <web-resource-collection> >> <web-resource-name/> >> <description/> >> <url-pattern>/login</url-pattern> >> </web-resource-collection> >> <!--auth-constraint> >> <role-name>USER</role-name> >> <role-name>ADMIN</role-name> >> </auth-constraint--> >> </security-constraint> >> <login-config> >> <auth-method>FORM</auth-method> >> <form-login-config> >> >> <form-login-page>/jsp/security/protected/login.jsp</form-login-page> >> >> <form-error-page>/jsp/security/protected/error.jsp</form-error-page> >> </form-login-config> >> </login-config> > > So you've protected just the /login URL, meaning that authentication will be > required before accessing that URL which probably checks the DB for a > username or something. > > The config above doesn't do what you probably think it does; you've got half > a container managed authentication solution and half a roll-your-own. > >> At the moment I am trying things manually by checking the user table >> regardless of Tomcat but is this necessary? > > Not if you configure it properly. > > I'll guess that you're using Tomcat 6.0.29 and suggest that you find and > read the Servlet Spec v2.5, Section SRV.12.1 paying particular attention to > paragraphs which mention 'j_security_check'. > > > Have you configured a Realm (usually a DataSourceRealm)? > > http://tomcat.apache.org/tomcat-6.0-doc/realm-howto.html > > > p > >> -----Original Message----- >> From: Pid [mailto:p...@pidster.com] >> Sent: 23 Sep 2010 12 57 >> To: Tomcat Users List >> Subject: Re: Use of error page in Tomcat >> >> On 23/09/2010 12:22, Martin O'Shea wrote: >>> Hello >>> >>> I have a /myApp/displayDatasetPage which is used to display content. >>> In this page, I incorporate the default Tomcat login code as follows: >>> >>> <div id = "login"> >>> <form action='<%= >>> response.encodeURL("/myApp/loginPage") >> %>' >>> method = "post"> >>> <table border = "0"> >> >> Tables for layout. How very 1997. >> >>> <tr> >>> <th align = "right">Username</th> >>> <td align = "left"><input type = "text" >>> name = "userName"></td> >>> </tr> >>> <tr> >>> <th align = "right">Password</th> >>> <td align = "left"><input type = >>> "password" name = "password"></td> >>> </tr> >>> <tr> >>> <td align = "right"><input type = "submit" >>> value = "Log In"></td> >>> <td align = "left"><input type = > "reset"></td> >>> </tr> >>> </table> >>> </form> >>> </div> >> >> How is this 'the default Tomcat logic code'? >> >>> And path /myApp/loginPage is protected in web.xml. >> >> How is it protected in web.xml? >> >>> This seems to be alright >>> but if a user doesn't enter login details, or enters incorrect login >>> details, and then presses 'Log in' the page simply reloads. I am >>> assuming that this is because I have no login error page working >>> alongside use /myApp/displayDatasetPage to catch login exceptions. >> >> You tell us. You haven't posted your web.xml, so we can't know. >> >>> Is it possible to use /myApp/displayDatasetPage to display login >>> errors? Or can anyone say tell me if I catch Tomcat's login >>> verification process to do this? >> >> If you're using the Servlet Specification container managed >> authentication mechanism, it's possible. It doesn't look like you are > though. >> >> If you've written your own login component, you can of course make >> that happen too. >> >>> Thanks >>> >>> Mr Morgan. >> >> Are you Martin O'Shea or Mr Morgan? I'm confused. >> >> >> p >> >> P.S. Please send one message to the list and then wait for a response. >> Two messages in 30 mins is a little pushy. >> >> >> >> >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org >> > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org >
0x62590808.asc
Description: application/pgp-keys
signature.asc
Description: OpenPGP digital signature
