Hi.
Not knowing the exact layout of your pages, and not knowing exactly what you have in mind
about what /should/ happen, makes this a bit of a guesswork.
In the log, there are a number of URLs being accessed ( /catalog/dealerwelcome.jsp,
/catalog/authControl.jsp, /catalog/dealer/dealerwelcome.jsp, etc..) but it is not clear to
people reading your messages to the list, what these correspond to in terms of logic of
the application.
It would help if you described what the sequence is or should be, from the point of view
of the user accessing your site, and/or from the point of the view of the pages they
should access in what order.
For example, your <security-constraint> sections below :
- one of them relates to an area of your web space under
"<url-pattern>/joeparts/admin/*</url-pattern>", which seems to have nothing to do with the
logfile, and confuses things.
- the other refers to "<url-pattern>/catalog/dealer/*</url-pattern>", but according to the
log, there is a "dealerwelcome.jsp" page in both the top "/catalog" directory and in the
"/catalog/dealer" directory, and between the accesses to these two, there is an
intermediate POST to something called "/catalog/authControl.jsp". What is that ? What is
it supposed to do ?
I get the feeling that there is something fundamentally flawed in the way you are trying
to do this authentication, and that the fact that it works in some cases may just be due
to the different way that browsers react to edge cases.
Also, with the logs we only see one side of things : the requests received by the server,
and the status code of the answer. Contrary to you, we do not see what the browser is
actually sending or receiving. Try to help us a bit here.
There exist useful plugins for browsers, which allow to see the detail of the
browser/server conversation. For Firefox, try HttpFox for example, and for IE try
Fiddler2. You will easily locate them with Google. They are invaluable when trying to
debug such issues.
Dick Eastlake wrote:
Here's an access log from a successful login using Firefox. Note the post
toj_security_check returns a 302 and the id of the authenticated user shows in
the returned request for a page located in the secured portion of the site.
213.20.160.134 - - [05/Apr/2011:22:44:31 -0700] "GET /catalog/dealerwelcome.jsp
HTTP/1.1" 200 1870
213.20.160.134 - - [05/Apr/2011:22:44:40 -0700] "POST /catalog/authControl.jsp
HTTP/1.1" 302 -
213.20.160.134 - - [05/Apr/2011:22:44:40 -0700] "GET
/catalog/dealer/dealerwelcome.jsp HTTP/1.1" 200 1910
213.20.160.134 - - [05/Apr/2011:22:44:44 -0700] "POST
/catalog/dealer/j_security_check HTTP/1.1" 302 -
213.20.160.134 - dickeastl...@progressivecommerce.com [05/Apr/2011:22:44:44 -0700]
"GET /catalog/dealer/dealerwelcome.jsp HTTP/1.1" 200 2391
Here's a failed attempt (phony id/password) using IENote the post to
j_security_check returns a 200 and there is no returned request.
74.77.201.185 - - [05/Apr/2011:22:52:46 -0700] "GET /catalog/dealerwelcome.jsp
HTTP/1.1" 200 1870
74.77.201.185 - - [05/Apr/2011:22:53:05 -0700] "POST /catalog/authControl.jsp
HTTP/1.1" 302 -
74.77.201.185 - - [05/Apr/2011:22:53:05 -0700] "GET
/catalog/dealer/dealerwelcome.jsp HTTP/1.1" 200 1897
74.77.201.185 - - [05/Apr/2011:22:53:12 -0700] "POST
/catalog/dealer/j_security_check HTTP/1.1" 200 676
The above examples show correct results using IE and Firefox.
Here's an access log from an unsuccessful login using Chrome. Note the post to j_security_check returns a 200 even though the id/password entered was a valid one.
74.77.201.185 - - [05/Apr/2011:23:35:58 -0700] "GET /catalog/dealerwelcome.jsp HTTP/1.1" 200 1870
74.77.201.185 - - [05/Apr/2011:23:36:06 -0700] "POST /catalog/authControl.jsp
HTTP/1.1" 302 -
74.77.201.185 - - [05/Apr/2011:23:36:06 -0700] "GET
/catalog/dealer/dealerwelcome.jsp HTTP/1.1" 200 1893
74.77.201.185 - - [05/Apr/2011:23:36:09 -0700] "POST
/catalog/dealer/j_security_check HTTP/1.1" 200 676
Again, IE & Firefox work fine, Mac, Google and Safari don't.
Thanks for your help,
Dick
________________________________
From: André Warnier <a...@ice-sa.com>
To: Tomcat Users List <users@tomcat.apache.org>
Sent: Tuesday, April 5, 2011 6:43 PM
Subject: Re: IE & Firefox work fine, Mac, Google and Safari don't authenticate
Hi.
Since I doubt that many people here really feel like going through a bunch of
lines of badly-formatted configuration, code and logs to figure out exactly
what is wrong, I suggest that you search Google for
"tomcat form based authentication example" and use one of the numerous ones
there as a reference.
There is something bizarre in your explanation and data however :
You say that the first part of the log is with Firefox, which works fine.
However, that part contains this line :
69.207.4.57 - s...@sor.com [27/Mar/2011:15:34:30 -0700] "GET
/Dynacorn/catalog/dealer/dealerwelcome.jsp HTTP/1.1" 500 2158
which shows a status code 500 (= "server error") returned by the server, while
the part supposedly not working shows no such error.
Another bizarre part is this : the JSP document that you show, appears to be the
login page, and it contains a <form> line like this :
<form method="POST" action="<%= response.encodeURL("j_security_check")
%>">
Yet, looking at the log, it does not seem that there is ever a POST to that URL.
It would look like there is some confusion about the basic way in which form
authentication is supposed to work. That's also why your best bet may be to
re-read the on-line documentation, and try first with one of the examples you
will find in Google.
Dick Eastlake wrote:
Users can authenticate to the secured area of my Website using IE and Firefox;
no problem. However,Macs, Google and Safari browsers cannot log in.
Macs, Google and Safari browsers go straight to the form-error-page
"not_auth.html".
Please help!
I'm using a simple form-based authentication method.
Here's my WEB.XML (from inside the webapp, not the conf):
<web-app xmlns="http://java.sun.com/xml/ns/j2ee";
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee
http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd";
version="2.4">
<display-name>Progressive Commerce Inc</display-name>
<description>
Progressive Website
</description>
<security-constraint>
<display-name>Progressive Security
Constraint</display-name>
<web-resource-collection>
<web-resource-name>Dealer Area</web-resource-name>
<url-pattern>/catalog/dealer/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>dealer</role-name>
</auth-constraint>
</security-constraint>
<security-role>
<role-name>dealer</role-name>
</security-role>
<security-constraint>
<display-name>Joe Parts Security Constraint</display-name>
<web-resource-collection>
<web-resource-name>Joe Parts
Area</web-resource-name>
<url-pattern>/joeparts/admin/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>joe</role-name>
</auth-constraint>
</security-constraint>
<security-role>
<role-name>joe</role-name>
</security-role>
<login-config>
<auth-method>FORM</auth-method>
<realm-name>Progressive Form-Based Authentication Area</realm-name>
<form-login-config>
<form-login-page>/catalog/dealer_door.jsp</form-login-page>
<form-error-page>/not_auth.html</form-error-page>
</form-login-config>
</login-config>
<resource-ref>
<description>
jdbc/progressive
</description>
<res-ref-name>
jdbc/progressive
</res-ref-name>
<res-type>
javax.sql.DataSource
</res-type>
<res-auth>
Container
</res-auth>
<res-sharing-scope>
Shareable
</res-sharing-scope>
</resource-ref>
<welcome-file-list>
<welcome-file>index.html</welcome-file>
</welcome-file-list>
</web-app>
Here's the code from my jsp
<jsp:useBean id="dlb" scope="session"
class="com.dealer.beans.DealerBean"/>
<body bgcolor="#222324" text="#000000">
<form method="POST" action="<%= response.encodeURL("j_security_check")
%>">
<p> </p>
<div align="center"> </div>
<table width="431" border="0" cellspacing="0" cellpadding="0">
<tr bgcolor="#FFFFFF"
<td>
</td>
<td>
<table>
<tr>
<td width="160"><font color="009999"><b><font face="Arial, Helvetica,
sans-serif">Email Address:</font></b></font></td>
<td width="147">
<input tabindex="1" type="text" name="j_username"
value="
<%
out.print(dlb.getEmail() + "\"");
%>
> </td>
<td width="49"> </td>
</tr>
<tr bgcolor="#FFFFFF"> <td width="160"
height="20"><font color="009999"><b><font face="Arial,
Helvetica, sans-serif">Password:</font></b></font></td>
<td width="147" height="20">
<input tabindex="2" type="password"
name="j_password">
</td>
</tr>
<tr bgcolor="#FFFFFF">
<td width="37"> </td>
<td width="38"> </td>
<td width="160"></td>
<td width="147">
<div align="center">
<input tabindex="3" type="submit" value="Log
In">
</div>
</td>
<td width="49"> </td>
</tr>
</table>
</table>
</form>
</body>
Here's the access log the entries at 15;34 are using Firefox, the ones at
15:42 are Google's browser
69.207.4.57 - - [27/Mar/2011:15:34:16 -0700] "GET
/Dynacorn/catalog/dealerwelcome.jsp HTTP/1.1" 200 1870
69.207.4.57 - - [27/Mar/2011:15:34:27 -0700] "POST /Dynacorn/catalog/authControl.jsp
HTTP/1.1" 302 -
69.207.4.57 - - [27/Mar/2011:15:34:27 -0700] "GET
/Dynacorn/catalog/dealer/dealerwelcome.jsp
HTTP/1.1" 200 1893
69.207.4.57 - - [27/Mar/2011:15:34:30 -0700] "POST
/Dynacorn/catalog/dealer/j_security_check HTTP/1.1" 302 -
69.207.4.57 - s...@sor.com [27/Mar/2011:15:34:30 -0700] "GET
/Dynacorn/catalog/dealer/dealerwelcome.jsp HTTP/1.1" 500 2158
69.207.4.57 - - [27/Mar/2011:15:42:14 -0700] "GET
/Dynacorn/catalog/dealerwelcome.jsp HTTP/1.1" 200 1870
69.207.4.57 - - [27/Mar/2011:15:42:20 -0700] "POST /Dynacorn/catalog/authControl.jsp
HTTP/1.1" 302 -
69.207.4.57 - - [27/Mar/2011:15:42:20 -0700] "GET
/Dynacorn/catalog/dealer/dealerwelcome.jsp HTTP/1.1" 200 1893
69.207.4.57 - - [27/Mar/2011:15:42:23 -0700] "POST
/Dynacorn/catalog/dealer/j_security_check HTTP/1.1" 200 676
there are no more entries
Again, IE & Firefox work fine, Mac, Google and Safari don't.
Thanks for your help,
Dick
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
