Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Problem with FORMS security

Posted on 2003-11-03
9
Medium Priority
?
242 Views
Last Modified: 2010-04-01
Hi,

Iam using FORMS security, but I am having weird problems. When I first try to log in, I get forwarded to CSS file! If I go back and try again, I then get forwarded to context root not to the application url. Here is my Login form:

<FORM ACTION="j_security_check" METHOD="POST">
      <table width="99%" border="0">
                   <tr>
                <td width="34%">User Name:</td>
                <td width="66%"><INPUT TYPE="TEXT" NAME="j_username"></td>
              </tr>
              <tr>
                <td>Password:</td>
                <td><INPUT TYPE="PASSWORD" NAME="j_password"></td>
              </tr>
              <tr>
                <td></td>
                <td>&nbsp;</td>
              </tr>
              <tr>
                <td></td>
                <td><INPUT TYPE="SUBMIT" VALUE="Log In"></td>
              </tr>
      </table>
 </FORM>

What am I doing wrong?

Thanks!
0
Comment
Question by:R_a_V_e_N
  • 5
  • 3
9 Comments
 
LVL 14

Expert Comment

by:kennethxu
ID: 9672896
there is nothing wrong with your login form. problem is in somewhere else. for more information of form based security see:
http://www.onjava.com/pub/a/onjava/2001/08/06/webform.html
0
 

Author Comment

by:R_a_V_e_N
ID: 9672913
ohhh ok. Where else could the problem be?

btw, Iam using Front Controller pattern, could this be causing problems?
0
 
LVL 14

Expert Comment

by:kennethxu
ID: 9673233
1. post the security related stuff in web.xml
2. let us your web directory layout
3. how exactly the problem occurs, the detailed use case.

>> btw, Iam using Front Controller pattern, could this be causing problems?
No
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 

Author Comment

by:R_a_V_e_N
ID: 9673306
Hi kennethxu, this is my web.xml:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE web-app PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN" "http://java.sun.com/dtd/web-app_2_3.dtd">
<web-app>
  <servlet>
    <servlet-name>tics</servlet-name>
    <servlet-class>jonesbros.tics</servlet-class>
    .... (Servlet Initialisation Parameters) ...
  </servlet>
  <servlet-mapping>
    <servlet-name>tics</servlet-name>
    <url-pattern>/tics</url-pattern>
  </servlet-mapping>
  <security-constraint>
    <display-name>TICS System</display-name>
    <web-resource-collection>
      <web-resource-name>TICS System</web-resource-name>
      <description>Telephone Integrated Customer Service</description>
      <url-pattern>/*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
      <description>These users can access the TICS System</description>
      <role-name>TeleConsultants</role-name>
      <role-name>MOD</role-name>
      <role-name>Managers</role-name>
    </auth-constraint>
    <user-data-constraint>
      <transport-guarantee>NONE</transport-guarantee>
    </user-data-constraint>
  </security-constraint>
  <login-config>
    <auth-method>FORM</auth-method>
    <realm-name>Telephone Integrated Customer Service</realm-name>
    <form-login-config>
      <form-login-page>/login.jsp</form-login-page>
      <form-error-page>/InvalidLogin.jsp</form-error-page>
    </form-login-config>
  </login-config>
  <security-role>
    <description>These users can access the TICS System</description>
    <role-name>MOD</role-name>
  </security-role>
  <security-role>
    <description>These users can access the TICS System</description>
    <role-name>Managers</role-name>
  </security-role>
  <security-role>
    <description>These users can access the TICS System</description>
    <role-name>TeleConsultants</role-name>
  </security-role>
</web-app>

I access the application at: http://localhost:7001/jonesbros/tics, I get forwarded to the login page. In the login page if I supply invalid credentials, then I get the error page. But if I supply the right credentials I get taken to the following URL: http://localhost:7001/jonesbros/jsps/css/layout2.css. Off course there is no such URL! If I go back and try again I get forwarded to the following URL: http://localhost:7001/jonesbros. This is very weird and confusing.

btw, my directory layout is as follows. login.jsp and InvalidLogin.jsp are in the root directory. There is 'jsps' directory which contains all the jsp files. inside 'jsps' there are two directories 'images' and 'css'. My Servlet and handler classes are in the standard directory, WEB-INF.

Thanks for you're help, kennethxu!
0
 
LVL 14

Expert Comment

by:kennethxu
ID: 9673678
I read you post line by line. everything looks perfect assuming your context path is /jonesbros.

I do have a question though, what is /tics? is this a directory? have your tried to access a simple jsp page, for example
http://localhost:7001/jonesbros/jsps/echo.jsp, you should get prompted for the login page and then redirect to the echo.jsp page. if that works, then tell me more about "/tics".

>> If I go back and try again ...
that's normal, because the access url was saved in session and removed as soon as login is success, your 2nd try end up in the default context root because there is no saved url to forward to.
0
 

Author Comment

by:R_a_V_e_N
ID: 9674526
I solved my problem. I tried a less restrictive pattern. /tics rather then /*.

I looked at the access log and found that the reason why I was being redirected after my login to layout2.css was that this was a restricted file and this file was used for the login page. So the webserver would want to fetch this file but since its restricted I would get forwarded to login page and hence after login I would get forwarded to it.

Thanks for you're help, kennethxu!
0
 
LVL 14

Expert Comment

by:kennethxu
ID: 9675585
Nice! Thanks for posting you finding. You can request you points refunded and PAQ the question.
0
 
LVL 14

Expert Comment

by:kennethxu
ID: 10055679
I'll ask support to fix this. will get your points back.
0
 
LVL 1

Accepted Solution

by:
Computer101 earned 0 total points
ID: 10057348
PAQed, with points refunded (30)

Computer101
E-E Admin
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Your business may be under attack from a silent enemy that is hard to detect. It works stealthily in the shadows to access and exploit your critical business information, sensitive confidential data and intellectual property, for commercial gain. T…
Today as you open your Outlook, you witness an error message: “Outlook is using an old copy of your Outlook Data File…”. Probably, Outlook is accessing an old OST file.
Want to learn how to record your desktop screen without having to use an outside camera. Click on this video and learn how to use the cool google extension called "Screencastify"! Step 1: Open a new google tab Step 2: Go to the left hand upper corn…
Is your data getting by on basic protection measures? In today’s climate of debilitating malware and ransomware—like WannaCry—that may not be enough. You need to establish more than basics, like a recovery plan that protects both data and endpoints.…
Suggested Courses

824 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question