Problem with FORMS security

Hi,

Iam using FORMS security, but I am having weird problems. When I first try to log in, I get forwarded to CSS file! If I go back and try again, I then get forwarded to context root not to the application url. Here is my Login form:

<FORM ACTION="j_security_check" METHOD="POST">
      <table width="99%" border="0">
                   <tr>
                <td width="34%">User Name:</td>
                <td width="66%"><INPUT TYPE="TEXT" NAME="j_username"></td>
              </tr>
              <tr>
                <td>Password:</td>
                <td><INPUT TYPE="PASSWORD" NAME="j_password"></td>
              </tr>
              <tr>
                <td></td>
                <td>&nbsp;</td>
              </tr>
              <tr>
                <td></td>
                <td><INPUT TYPE="SUBMIT" VALUE="Log In"></td>
              </tr>
      </table>
 </FORM>

What am I doing wrong?

Thanks!
R_a_V_e_NAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

kennethxuCommented:
there is nothing wrong with your login form. problem is in somewhere else. for more information of form based security see:
http://www.onjava.com/pub/a/onjava/2001/08/06/webform.html
R_a_V_e_NAuthor Commented:
ohhh ok. Where else could the problem be?

btw, Iam using Front Controller pattern, could this be causing problems?
kennethxuCommented:
1. post the security related stuff in web.xml
2. let us your web directory layout
3. how exactly the problem occurs, the detailed use case.

>> btw, Iam using Front Controller pattern, could this be causing problems?
No
Introduction to R

R is considered the predominant language for data scientist and statisticians. Learn how to use R for your own data science projects.

R_a_V_e_NAuthor Commented:
Hi kennethxu, this is my web.xml:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE web-app PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN" "http://java.sun.com/dtd/web-app_2_3.dtd">
<web-app>
  <servlet>
    <servlet-name>tics</servlet-name>
    <servlet-class>jonesbros.tics</servlet-class>
    .... (Servlet Initialisation Parameters) ...
  </servlet>
  <servlet-mapping>
    <servlet-name>tics</servlet-name>
    <url-pattern>/tics</url-pattern>
  </servlet-mapping>
  <security-constraint>
    <display-name>TICS System</display-name>
    <web-resource-collection>
      <web-resource-name>TICS System</web-resource-name>
      <description>Telephone Integrated Customer Service</description>
      <url-pattern>/*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
      <description>These users can access the TICS System</description>
      <role-name>TeleConsultants</role-name>
      <role-name>MOD</role-name>
      <role-name>Managers</role-name>
    </auth-constraint>
    <user-data-constraint>
      <transport-guarantee>NONE</transport-guarantee>
    </user-data-constraint>
  </security-constraint>
  <login-config>
    <auth-method>FORM</auth-method>
    <realm-name>Telephone Integrated Customer Service</realm-name>
    <form-login-config>
      <form-login-page>/login.jsp</form-login-page>
      <form-error-page>/InvalidLogin.jsp</form-error-page>
    </form-login-config>
  </login-config>
  <security-role>
    <description>These users can access the TICS System</description>
    <role-name>MOD</role-name>
  </security-role>
  <security-role>
    <description>These users can access the TICS System</description>
    <role-name>Managers</role-name>
  </security-role>
  <security-role>
    <description>These users can access the TICS System</description>
    <role-name>TeleConsultants</role-name>
  </security-role>
</web-app>

I access the application at: http://localhost:7001/jonesbros/tics, I get forwarded to the login page. In the login page if I supply invalid credentials, then I get the error page. But if I supply the right credentials I get taken to the following URL: http://localhost:7001/jonesbros/jsps/css/layout2.css. Off course there is no such URL! If I go back and try again I get forwarded to the following URL: http://localhost:7001/jonesbros. This is very weird and confusing.

btw, my directory layout is as follows. login.jsp and InvalidLogin.jsp are in the root directory. There is 'jsps' directory which contains all the jsp files. inside 'jsps' there are two directories 'images' and 'css'. My Servlet and handler classes are in the standard directory, WEB-INF.

Thanks for you're help, kennethxu!
kennethxuCommented:
I read you post line by line. everything looks perfect assuming your context path is /jonesbros.

I do have a question though, what is /tics? is this a directory? have your tried to access a simple jsp page, for example
http://localhost:7001/jonesbros/jsps/echo.jsp, you should get prompted for the login page and then redirect to the echo.jsp page. if that works, then tell me more about "/tics".

>> If I go back and try again ...
that's normal, because the access url was saved in session and removed as soon as login is success, your 2nd try end up in the default context root because there is no saved url to forward to.
R_a_V_e_NAuthor Commented:
I solved my problem. I tried a less restrictive pattern. /tics rather then /*.

I looked at the access log and found that the reason why I was being redirected after my login to layout2.css was that this was a restricted file and this file was used for the login page. So the webserver would want to fetch this file but since its restricted I would get forwarded to login page and hence after login I would get forwarded to it.

Thanks for you're help, kennethxu!
kennethxuCommented:
Nice! Thanks for posting you finding. You can request you points refunded and PAQ the question.
kennethxuCommented:
I'll ask support to fix this. will get your points back.
Computer101Commented:
PAQed, with points refunded (30)

Computer101
E-E Admin

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
JSP

From novice to tech pro — start learning today.