You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Sunhild Copony <su...@inovit.de> on 2001/11/12 13:03:01 UTC
Memory Realm - Redirect to NULL ??
Hi all,
refering to:
Re: form based login
From: Craig R. McClanahan
Date: Sun, 16 Sep 2001 19:14:43 -0700
I read what Craig wrote to this problem - but I don't have any directive
for cookies in server.xml (and have one more question)
In the other points I have the same problem like Pero: twice call to
login.jsp and redirect to NULL after succesful authentification. I tried
the same login.jsp; error.jsp is called for unvalid users...
I tried to access from the server or from a client - allways the same.
I think too that its a problem of my configuration, maybe everyone sees
it, except me!!
And I have another problem: the protection doesn't exist??!! When I
call one of the .jsps from webadmin, (without login) the servlets from
WEB-INF/classes/ are executed - and exactly that's I wanted to avoid...
Thanks for any help!
Sunny
Here's my configuration:
server.xml
<!-- WebAdmin Context -->
<Context path="/webadmin" docBase="webadmin" debug="99"
reloadable="true">
<Logger className="org.apache.catalina.logger.FileLogger"
prefix="localhost_webadmin_log." suffix=".txt"
timestamp="true"/>
<Environment name="maxExemptions" type="java.lang.Integer"
value="15"/>
<Parameter name="context.param.name"
value="context.param.value"override="false"/>
<Resource name="mail/Session" auth="Container"
type="javax.mail.Session"/>
<ResourceParams name="mail/session">
<parameter>
<name>mail.smtp.host</name>
<value>localhost</value>
</parameter>
</ResourceParams>
</Context>
-------------------------------------------
web.xml (in my webapps/webadmin/WEB-INF)
<!-- WebAdmin - web.xml -->
<web-app>
...
<security-constraint>
<display-name>Webadmin Security Constraint</display-name>
<web-resource-collection>
<web-resource-name>Protected Area</web-resource-name>
<!-- Define the context-relative URL(s) to be protected -->
<url-pattern>/webadmin/WEB-INF/*</url-pattern>
<!-- If you list http methods, only those methods are protected -->
<http-method>DELETE</http-method>
<http-method>GET</http-method>
<http-method>POST</http-method>
<http-method>PUT</http-method>
</web-resource-collection>
<auth-constraint>
<!-- Anyone with one of the listed roles may access this area
-->
<role-name>tomcat</role-name>
<role-name>role1</role-name>
</auth-constraint>
</security-constraint>
<!-- Default login configuration uses form-based authentication -->
<login-config>
<auth-method>FORM</auth-method>
<realm-name>Webadmin Form-Based Authentication Area</realm-name>
<form-login-config>
<form-login-page>/login.jsp</form-login-page>
<form-error-page>/error.jsp</form-error-page>
</form-login-config>
</login-config>
</web-app>
[putting into "context-relative URL(s) to be protected" just
webadmin/WEB-INF I thought to enable access to webadmin/login.jsp...,
but not to webadmin/WEB-INF/...]
----------------------------------
tomcat_user.xml (unchanged)
<tomcat-users>
<user name="tomcat" password="tomcat" roles="tomcat" />
----------------------------------
tomcat/conf/web.xml is unchanged
----------------------------------
index.jsp changed into:
<%
if (request.getParameter("logoff") != null) {
session.invalidate();
response.sendRedirect("index.jsp");
return;
}
%>
<!DOCTYPE HTML PUBLIC '-//W3C//DTD HTML 3.2//EN'>
<html>
<head><title>INO WebAdmin</title></head>
<frameset cols="20%,80%">
<frame src="treeframe.jsp" name=Treefenster>
<frame src="statusrf.jsp" name=Rightfenster>
</frameset>
<body>
</body>
</html>
*************************
LOG:
localhost_webadmin_log...
2001-11-12 11:01:04 Authenticator[/webadmin]: Security checking request
GET /webadmin/login.jsp
2001-11-12 11:01:04 Authenticator[/webadmin]: Checking constraint
'SecurityConstraint[Protected Area]' against GET /login.jsp --> false
2001-11-12 11:01:04 Authenticator[/webadmin]: No applicable constraint
located
2001-11-12 11:01:04 Authenticator[/webadmin]: Not subject to any
constraint
2001-11-12 11:01:04 StandardContext[/webadmin]: Mapping
contextPath='/webadmin' with requestURI='/webadmin/login.jsp' and
relativeURI='/login.jsp'
2001-11-12 11:01:04 StandardContext[/webadmin]: Decoded
relativeURI='/login.jsp'
2001-11-12 11:01:04 StandardContext[/webadmin]: Trying exact match
2001-11-12 11:01:04 StandardContext[/webadmin]: Trying prefix match
2001-11-12 11:01:04 StandardContext[/webadmin]: Trying extension match
2001-11-12 11:01:04 StandardContext[/webadmin]: Mapped to servlet 'jsp'
with servlet path '/login.jsp' and path info 'null' and update=true
2001-11-12 11:01:13 Authenticator[/webadmin]: Security checking request
POST /webadmin/j_security_check
2001-11-12 11:01:13 Authenticator[/webadmin]: Authenticating username
'tomcat'
2001-11-12 11:01:13 Authenticator[/webadmin]: Authentication of 'tomcat'
was successful
2001-11-12 11:01:13 Authenticator[/webadmin]: Redirecting to original
'null'
2001-11-12 11:01:13 Authenticator[/webadmin]: Failed authenticate()
test
2001-11-12 11:01:13 Authenticator[/webadmin]: Security checking request
GET /webadmin/null
2001-11-12 11:01:13 Authenticator[/webadmin]: Checking constraint
'SecurityConstraint[Protected Area]' against GET /null --> false
2001-11-12 11:01:13 Authenticator[/webadmin]: No applicable constraint
located
2001-11-12 11:01:13 Authenticator[/webadmin]: Not subject to any
constraint
2001-11-12 11:01:13 StandardContext[/webadmin]: Mapping
contextPath='/webadmin' with requestURI='/webadmin/null' and
relativeURI='/null'
2001-11-12 11:01:13 StandardContext[/webadmin]: Decoded
relativeURI='/null'
2001-11-12 11:01:13 StandardContext[/webadmin]: Trying exact match
2001-11-12 11:01:13 StandardContext[/webadmin]: Trying prefix match
2001-11-12 11:01:13 StandardContext[/webadmin]: Trying extension match
2001-11-12 11:01:13 StandardContext[/webadmin]: Trying default match
2001-11-12 11:01:13 StandardContext[/webadmin]: Mapped to servlet
'default' with servlet path '/null' and path info 'null' and update=true
----------------------------------
--
To unsubscribe: <ma...@jakarta.apache.org>
For additional commands: <ma...@jakarta.apache.org>
Troubles with the list: <ma...@jakarta.apache.org>
Re: Memory Realm - Redirect to NULL ??
Posted by "Craig R. McClanahan" <cr...@apache.org>.
On Tue, 13 Nov 2001, Sunhild Copony wrote:
> [snip]
> Login is correctly accepted and than the servlet is executed - that would be
> allmost ok - (well not quite, because it's not so beautiful to get the login
> in a frame ...)
We're dealing with a case like this on the Tomcat administration webapp
being built for 4.1. The application will run in a framed environment,
but we want the login page (whenever it's displayed) to take the full
window.
The solution was to add a little JavaScript at the top of the login.jsp
page:
<script language="JavaScript" type="text/javascript">
<!--
if (window.self != window.top) {
window.open(window.location, "_top");
}
// -->
</script>
> BUT this happens just when Tomcat is restarted.
> The servlet is executed without asking for login when one login was succesful.
>
Note that, if you didn't restart your browser, this is actually a Tomcat
feature. Sessions are saved and restored across Tomcat restarts, so your
previous login session is still valid.
To avoid this, you can do one of the following:
* Restart your browser.
* Delete the directory "$CATALINA_HOME/work/localhost/{webapp}" before
restarting Tomcat to eliminate all the old stuff.
>
> Sunny
>
Craig
--
To unsubscribe: <ma...@jakarta.apache.org>
For additional commands: <ma...@jakarta.apache.org>
Troubles with the list: <ma...@jakarta.apache.org>
Re: Memory Realm - Redirect to NULL ??
Posted by Sunhild Copony <su...@inovit.de>.
Thanks a lot for your answer, Craig!
I made the change
<url-pattern>/servlet/*</url-pattern>
and got the following:
- URL .../webadmin/login.jsp:
(1) from server:
Browser message: HTTP status 404 - /null (not available)
(2) from client:
Browser message:HTTP Status 404 - /j_security_check (not available)
- URL .../webadmin:
calls index.jsp; I expected to see login.jsp because of
<login-config>
<auth-method>FORM</auth-method>
<realm-name>Webadmin Form-Based Authentication Area</realm-name>
<form-login-config>
<form-login-page>/login.jsp</form-login-page>
In Tomcat examples it's like that and it would be fine for me too!
- URL .../webadmin/webadmin.html:
shows the page webadmin.html, and in the frame where a servlet is called,
login.jsp is shown.
Login is correctly accepted and than the servlet is executed - that would be
allmost ok - (well not quite, because it's not so beautiful to get the login
in a frame ...)
BUT this happens just when Tomcat is restarted.
The servlet is executed without asking for login when one login was succesful.
I have caches = 0, to restart the browser is not enought. Only restarting
Tomcat!
I would be happy to find a solution like this:
start with Login, get than the first page of the application.
Sounds so simple, but where do I have those wrong configs??
Thanks for your help!!
Sunny
-------------- LOG (1) --------------
2001-11-13 09:54:10 Authenticator[/webadmin]: Security checking request GET
/webadmin/login.jsp
2001-11-13 09:54:10 Authenticator[/webadmin]: Checking constraint
'SecurityConstraint[Protected Area]' against GET /login.jsp --> false
2001-11-13 09:54:10 Authenticator[/webadmin]: No applicable constraint
located
2001-11-13 09:54:10 Authenticator[/webadmin]: Not subject to any constraint
2001-11-13 09:54:10 StandardContext[/webadmin]: Mapping
contextPath='/webadmin' with requestURI='/webadmin/login.jsp' and
relativeURI='/login.jsp'
2001-11-13 09:54:10 StandardContext[/webadmin]: Decoded
relativeURI='/login.jsp'
2001-11-13 09:54:10 StandardContext[/webadmin]: Trying exact match
2001-11-13 09:54:10 StandardContext[/webadmin]: Trying prefix match
2001-11-13 09:54:10 StandardContext[/webadmin]: Trying extension match
2001-11-13 09:54:10 StandardContext[/webadmin]: Mapped to servlet 'jsp' with
servlet path '/login.jsp' and path info 'null' and update=true
2001-11-13 09:54:13 Authenticator[/webadmin]: Security checking request GET
/webadmin/login.jsp
2001-11-13 09:54:13 Authenticator[/webadmin]: Checking constraint
'SecurityConstraint[Protected Area]' against GET /login.jsp --> false
2001-11-13 09:54:13 Authenticator[/webadmin]: No applicable constraint
located
2001-11-13 09:54:13 Authenticator[/webadmin]: Not subject to any constraint
2001-11-13 09:54:13 StandardContext[/webadmin]: Mapping
contextPath='/webadmin' with requestURI='/webadmin/login.jsp' and
relativeURI='/login.jsp'
2001-11-13 09:54:13 StandardContext[/webadmin]: Decoded
relativeURI='/login.jsp'
2001-11-13 09:54:13 StandardContext[/webadmin]: Trying exact match
2001-11-13 09:54:13 StandardContext[/webadmin]: Trying prefix match
2001-11-13 09:54:13 StandardContext[/webadmin]: Trying extension match
2001-11-13 09:54:13 StandardContext[/webadmin]: Mapped to servlet 'jsp' with
servlet path '/login.jsp' and path info 'null' and update=true
2001-11-13 09:54:27 Authenticator[/webadmin]: Security checking request POST
/webadmin/j_security_check
2001-11-13 09:54:27 Authenticator[/webadmin]: Authenticating username 'tomcat'
2001-11-13 09:54:27 Authenticator[/webadmin]: Authentication of 'tomcat' was
successful
2001-11-13 09:54:27 Authenticator[/webadmin]: Redirecting to original 'null'
2001-11-13 09:54:27 Authenticator[/webadmin]: Failed authenticate() test
2001-11-13 09:54:27 Authenticator[/webadmin]: Security checking request GET
/webadmin/null
2001-11-13 09:54:27 Authenticator[/webadmin]: Checking constraint
'SecurityConstraint[Protected Area]' against GET /null --> false
2001-11-13 09:54:27 Authenticator[/webadmin]: No applicable constraint
located
2001-11-13 09:54:27 Authenticator[/webadmin]: Not subject to any constraint
2001-11-13 09:54:27 StandardContext[/webadmin]: Mapping
contextPath='/webadmin' with requestURI='/webadmin/null' and
relativeURI='/null'
2001-11-13 09:54:27 StandardContext[/webadmin]: Decoded relativeURI='/null'
2001-11-13 09:54:27 StandardContext[/webadmin]: Trying exact match
2001-11-13 09:54:27 StandardContext[/webadmin]: Trying prefix match
2001-11-13 09:54:27 StandardContext[/webadmin]: Trying extension match
2001-11-13 09:54:27 StandardContext[/webadmin]: Trying default match
2001-11-13 09:54:27 StandardContext[/webadmin]: Mapped to servlet 'default'
with servlet path '/null' and path info 'null' and update=true
2001-11-13 09:54:32 Authenticator[/webadmin]: Security checking request GET
/webadmin/login.jsp
2001-11-13 09:54:32 Authenticator[/webadmin]: Checking constraint
'SecurityConstraint[Protected Area]' against GET /login.jsp --> false
2001-11-13 09:54:32 Authenticator[/webadmin]: No applicable constraint
located
2001-11-13 09:54:32 Authenticator[/webadmin]: Not subject to any constraint
2001-11-13 09:54:32 StandardContext[/webadmin]: Mapping
contextPath='/webadmin' with requestURI='/webadmin/login.jsp' and
relativeURI='/login.jsp'
2001-11-13 09:54:32 StandardContext[/webadmin]: Decoded
relativeURI='/login.jsp'
2001-11-13 09:54:32 StandardContext[/webadmin]: Trying exact match
2001-11-13 09:54:32 StandardContext[/webadmin]: Trying prefix match
2001-11-13 09:54:32 StandardContext[/webadmin]: Trying extension match
2001-11-13 09:54:32 StandardContext[/webadmin]: Mapped to servlet 'jsp' with
servlet path '/login.jsp' and path info 'null' and update=true
2001-11-13 09:54:33 Authenticator[/webadmin]: Security checking request GET
/webadmin/login.jsp
2001-11-13 09:54:33 Authenticator[/webadmin]: Checking constraint
'SecurityConstraint[Protected Area]' against GET /login.jsp --> false
2001-11-13 09:54:33 Authenticator[/webadmin]: No applicable constraint
located
2001-11-13 09:54:33 Authenticator[/webadmin]: Not subject to any constraint
2001-11-13 09:54:33 StandardContext[/webadmin]: Mapping
contextPath='/webadmin' with requestURI='/webadmin/login.jsp' and
relativeURI='/login.jsp'
2001-11-13 09:54:33 StandardContext[/webadmin]: Decoded
relativeURI='/login.jsp'
2001-11-13 09:54:33 StandardContext[/webadmin]: Trying exact match
2001-11-13 09:54:33 StandardContext[/webadmin]: Trying prefix match
2001-11-13 09:54:33 StandardContext[/webadmin]: Trying extension match
2001-11-13 09:54:33 StandardContext[/webadmin]: Mapped to servlet 'jsp' with
servlet path '/login.jsp' and path info 'null' and update=true
2001-11-13 09:54:50 Authenticator[/webadmin]: Security checking request POST
/webadmin/j_security_check
2001-11-13 09:54:50 Authenticator[/webadmin]: Authenticating username 'tomcat'
2001-11-13 09:54:50 Authenticator[/webadmin]: Authentication of 'tomcat' was
successful
2001-11-13 09:54:50 Authenticator[/webadmin]: Redirecting to original 'null'
2001-11-13 09:54:50 Authenticator[/webadmin]: Failed authenticate() test
2001-11-13 09:54:50 Authenticator[/webadmin]: Security checking request GET
/webadmin/null
2001-11-13 09:54:50 Authenticator[/webadmin]: Checking constraint
'SecurityConstraint[Protected Area]' against GET /null --> false
2001-11-13 09:54:50 Authenticator[/webadmin]: No applicable constraint
located
2001-11-13 09:54:50 Authenticator[/webadmin]: Not subject to any constraint
2001-11-13 09:54:50 StandardContext[/webadmin]: Mapping
contextPath='/webadmin' with requestURI='/webadmin/null' and
relativeURI='/null'
2001-11-13 09:54:50 StandardContext[/webadmin]: Decoded relativeURI='/null'
2001-11-13 09:54:50 StandardContext[/webadmin]: Trying exact match
2001-11-13 09:54:50 StandardContext[/webadmin]: Trying prefix match
2001-11-13 09:54:50 StandardContext[/webadmin]: Trying extension match
2001-11-13 09:54:50 StandardContext[/webadmin]: Trying default match
2001-11-13 09:54:50 StandardContext[/webadmin]: Mapped to servlet 'default'
with servlet path '/null' and path info 'null' and update=true
-------------- LOG (2) --------------
2001-11-13 09:56:41 Authenticator[/webadmin]: Security checking request GET
/webadmin/login.jsp
2001-11-13 09:56:41 Authenticator[/webadmin]: We have cached auth type FORM
for principal GenericPrincipal[tomcat]
2001-11-13 09:56:41 Authenticator[/webadmin]: Checking constraint
'SecurityConstraint[Protected Area]' against GET /login.jsp --> false
2001-11-13 09:56:41 Authenticator[/webadmin]: No applicable constraint
located
2001-11-13 09:56:41 Authenticator[/webadmin]: Not subject to any constraint
2001-11-13 09:56:41 StandardContext[/webadmin]: Mapping
contextPath='/webadmin' with requestURI='/webadmin/login.jsp' and
relativeURI='/login.jsp'
2001-11-13 09:56:41 StandardContext[/webadmin]: Decoded
relativeURI='/login.jsp'
2001-11-13 09:56:41 StandardContext[/webadmin]: Trying exact match
2001-11-13 09:56:41 StandardContext[/webadmin]: Trying prefix match
2001-11-13 09:56:41 StandardContext[/webadmin]: Trying extension match
2001-11-13 09:56:41 StandardContext[/webadmin]: Mapped to servlet 'jsp' with
servlet path '/login.jsp' and path info 'null' and update=true
2001-11-13 09:56:43 Authenticator[/webadmin]: Security checking request GET
/webadmin/login.jsp
2001-11-13 09:56:43 Authenticator[/webadmin]: We have cached auth type FORM
for principal GenericPrincipal[tomcat]
2001-11-13 09:56:43 Authenticator[/webadmin]: Checking constraint
'SecurityConstraint[Protected Area]' against GET /login.jsp --> false
2001-11-13 09:56:43 Authenticator[/webadmin]: No applicable constraint
located
2001-11-13 09:56:43 Authenticator[/webadmin]: Not subject to any constraint
2001-11-13 09:56:43 StandardContext[/webadmin]: Mapping
contextPath='/webadmin' with requestURI='/webadmin/login.jsp' and
relativeURI='/login.jsp'
2001-11-13 09:56:43 StandardContext[/webadmin]: Decoded
relativeURI='/login.jsp'
2001-11-13 09:56:43 StandardContext[/webadmin]: Trying exact match
2001-11-13 09:56:43 StandardContext[/webadmin]: Trying prefix match
2001-11-13 09:56:43 StandardContext[/webadmin]: Trying extension match
2001-11-13 09:56:43 StandardContext[/webadmin]: Mapped to servlet 'jsp' with
servlet path '/login.jsp' and path info 'null' and update=true
2001-11-13 09:56:52 Authenticator[/webadmin]: Security checking request POST
/webadmin/j_security_check
2001-11-13 09:56:52 Authenticator[/webadmin]: We have cached auth type FORM
for principal GenericPrincipal[tomcat]
2001-11-13 09:56:52 Authenticator[/webadmin]: Already authenticated 'tomcat'
2001-11-13 09:56:52 Authenticator[/webadmin]: Checking constraint
'SecurityConstraint[Protected Area]' against POST /j_security_check --> false
2001-11-13 09:56:52 Authenticator[/webadmin]: No applicable constraint
located
2001-11-13 09:56:52 Authenticator[/webadmin]: Not subject to any constraint
2001-11-13 09:56:52 StandardContext[/webadmin]: Mapping
contextPath='/webadmin' with requestURI='/webadmin/j_security_check' and
relativeURI='/j_security_check'
2001-11-13 09:56:52 StandardContext[/webadmin]: Decoded
relativeURI='/j_security_check'
2001-11-13 09:56:52 StandardContext[/webadmin]: Trying exact match
2001-11-13 09:56:52 StandardContext[/webadmin]: Trying prefix match
2001-11-13 09:56:52 StandardContext[/webadmin]: Trying extension match
2001-11-13 09:56:52 StandardContext[/webadmin]: Trying default match
2001-11-13 09:56:52 StandardContext[/webadmin]: Mapped to servlet 'default'
with servlet path '/j_security_check' and path info 'null' and update=true
"Craig R. McClanahan" schrieb:
> The first important issue -- all paths within web.xml are relative to the
> context root, not the server root. So, the first thing to do is change
>
> <url-pattern>/webadmin/WEB-INF/*</url-pattern>
>
> to
>
> <url-pattern>/WEB-INF/*</url-pattern>
>
> The second important issue -- the servlet container already protects all
> URLs that have /WEB-INF in them. To prove it, try this from your browser:
>
> http://localhost:8080/webadmin/WEB-INF/web.xml
>
> and you will get a "forbidden" error back.
>
> The third important issue -- you want to express URL patterns based on the
> URL submitted by the browser, not where the classes are loaded from. So,
> if you are trying to protect a URL like this:
>
> http://localhost:8080/webadmin/servlet/MyServlet
>
> then the real URL pattern you want to use is probably:
>
> <url-pattern>/servlet/*</url-pattern>
>
> Craig McClanahan
>
> On Mon, 12 Nov 2001, Sunhild Copony wrote:
>
> > Date: Mon, 12 Nov 2001 13:03:01 +0100
> > From: Sunhild Copony <su...@inovit.de>
> > Reply-To: Tomcat Users List <to...@jakarta.apache.org>
> > To: tomcat-user@jakarta.apache.org
> > Subject: Memory Realm - Redirect to NULL ??
> >
> > Hi all,
> >
> > refering to:
> > Re: form based login
> > From: Craig R. McClanahan
> > Date: Sun, 16 Sep 2001 19:14:43 -0700
> >
> > I read what Craig wrote to this problem - but I don't have any directive
> > for cookies in server.xml (and have one more question)
> > In the other points I have the same problem like Pero: twice call to
> > login.jsp and redirect to NULL after succesful authentification. I tried
> > the same login.jsp; error.jsp is called for unvalid users...
> >
> > I tried to access from the server or from a client - allways the same.
> > I think too that its a problem of my configuration, maybe everyone sees
> > it, except me!!
> >
> > And I have another problem: the protection doesn't exist??!! When I
> > call one of the .jsps from webadmin, (without login) the servlets from
> > WEB-INF/classes/ are executed - and exactly that's I wanted to avoid...
> >
> >
> > Thanks for any help!
> > Sunny
> >
> >
> > Here's my configuration:
> >
> > server.xml
> > <!-- WebAdmin Context -->
> > <Context path="/webadmin" docBase="webadmin" debug="99"
> > reloadable="true">
> > <Logger className="org.apache.catalina.logger.FileLogger"
> > prefix="localhost_webadmin_log." suffix=".txt"
> > timestamp="true"/>
> > <Environment name="maxExemptions" type="java.lang.Integer"
> > value="15"/>
> > <Parameter name="context.param.name"
> > value="context.param.value"override="false"/>
> > <Resource name="mail/Session" auth="Container"
> > type="javax.mail.Session"/>
> > <ResourceParams name="mail/session">
> > <parameter>
> > <name>mail.smtp.host</name>
> > <value>localhost</value>
> > </parameter>
> > </ResourceParams>
> > </Context>
> >
> > -------------------------------------------
> >
> > web.xml (in my webapps/webadmin/WEB-INF)
> >
> > <!-- WebAdmin - web.xml -->
> >
> > <web-app>
> > ...
> > <security-constraint>
> > <display-name>Webadmin Security Constraint</display-name>
> > <web-resource-collection>
> > <web-resource-name>Protected Area</web-resource-name>
> > <!-- Define the context-relative URL(s) to be protected -->
> > <url-pattern>/webadmin/WEB-INF/*</url-pattern>
> > <!-- If you list http methods, only those methods are protected -->
> > <http-method>DELETE</http-method>
> > <http-method>GET</http-method>
> > <http-method>POST</http-method>
> > <http-method>PUT</http-method>
> > </web-resource-collection>
> > <auth-constraint>
> > <!-- Anyone with one of the listed roles may access this area
> > -->
> > <role-name>tomcat</role-name>
> > <role-name>role1</role-name>
> > </auth-constraint>
> > </security-constraint>
> >
> > <!-- Default login configuration uses form-based authentication -->
> > <login-config>
> > <auth-method>FORM</auth-method>
> > <realm-name>Webadmin Form-Based Authentication Area</realm-name>
> > <form-login-config>
> > <form-login-page>/login.jsp</form-login-page>
> > <form-error-page>/error.jsp</form-error-page>
> > </form-login-config>
> > </login-config>
> >
> > </web-app>
> >
> > [putting into "context-relative URL(s) to be protected" just
> > webadmin/WEB-INF I thought to enable access to webadmin/login.jsp...,
> > but not to webadmin/WEB-INF/...]
> >
> > ----------------------------------
> >
> > tomcat_user.xml (unchanged)
> >
> > <tomcat-users>
> > <user name="tomcat" password="tomcat" roles="tomcat" />
> >
> > ----------------------------------
> >
> > tomcat/conf/web.xml is unchanged
> >
> > ----------------------------------
> >
> > index.jsp changed into:
> >
> > <%
> > if (request.getParameter("logoff") != null) {
> > session.invalidate();
> > response.sendRedirect("index.jsp");
> > return;
> > }
> > %>
> >
> > <!DOCTYPE HTML PUBLIC '-//W3C//DTD HTML 3.2//EN'>
> > <html>
> > <head><title>INO WebAdmin</title></head>
> >
> > <frameset cols="20%,80%">
> > <frame src="treeframe.jsp" name=Treefenster>
> > <frame src="statusrf.jsp" name=Rightfenster>
> > </frameset>
> >
> > <body>
> > </body>
> > </html>
> >
> > *************************
> > LOG:
> >
> > localhost_webadmin_log...
> >
> > 2001-11-12 11:01:04 Authenticator[/webadmin]: Security checking request
> > GET /webadmin/login.jsp
> > 2001-11-12 11:01:04 Authenticator[/webadmin]: Checking constraint
> > 'SecurityConstraint[Protected Area]' against GET /login.jsp --> false
> > 2001-11-12 11:01:04 Authenticator[/webadmin]: No applicable constraint
> > located
> > 2001-11-12 11:01:04 Authenticator[/webadmin]: Not subject to any
> > constraint
> > 2001-11-12 11:01:04 StandardContext[/webadmin]: Mapping
> > contextPath='/webadmin' with requestURI='/webadmin/login.jsp' and
> > relativeURI='/login.jsp'
> > 2001-11-12 11:01:04 StandardContext[/webadmin]: Decoded
> > relativeURI='/login.jsp'
> > 2001-11-12 11:01:04 StandardContext[/webadmin]: Trying exact match
> > 2001-11-12 11:01:04 StandardContext[/webadmin]: Trying prefix match
> > 2001-11-12 11:01:04 StandardContext[/webadmin]: Trying extension match
> >
> > 2001-11-12 11:01:04 StandardContext[/webadmin]: Mapped to servlet 'jsp'
> > with servlet path '/login.jsp' and path info 'null' and update=true
> > 2001-11-12 11:01:13 Authenticator[/webadmin]: Security checking request
> > POST /webadmin/j_security_check
> > 2001-11-12 11:01:13 Authenticator[/webadmin]: Authenticating username
> > 'tomcat'
> > 2001-11-12 11:01:13 Authenticator[/webadmin]: Authentication of 'tomcat'
> > was successful
> > 2001-11-12 11:01:13 Authenticator[/webadmin]: Redirecting to original
> > 'null'
> > 2001-11-12 11:01:13 Authenticator[/webadmin]: Failed authenticate()
> > test
> > 2001-11-12 11:01:13 Authenticator[/webadmin]: Security checking request
> > GET /webadmin/null
> > 2001-11-12 11:01:13 Authenticator[/webadmin]: Checking constraint
> > 'SecurityConstraint[Protected Area]' against GET /null --> false
> > 2001-11-12 11:01:13 Authenticator[/webadmin]: No applicable constraint
> > located
> > 2001-11-12 11:01:13 Authenticator[/webadmin]: Not subject to any
> > constraint
> > 2001-11-12 11:01:13 StandardContext[/webadmin]: Mapping
> > contextPath='/webadmin' with requestURI='/webadmin/null' and
> > relativeURI='/null'
> > 2001-11-12 11:01:13 StandardContext[/webadmin]: Decoded
> > relativeURI='/null'
> > 2001-11-12 11:01:13 StandardContext[/webadmin]: Trying exact match
> > 2001-11-12 11:01:13 StandardContext[/webadmin]: Trying prefix match
> > 2001-11-12 11:01:13 StandardContext[/webadmin]: Trying extension match
> >
> > 2001-11-12 11:01:13 StandardContext[/webadmin]: Trying default match
> > 2001-11-12 11:01:13 StandardContext[/webadmin]: Mapped to servlet
> > 'default' with servlet path '/null' and path info 'null' and update=true
> >
> > ----------------------------------
> >
> >
> >
> > --
> > To unsubscribe: <ma...@jakarta.apache.org>
> > For additional commands: <ma...@jakarta.apache.org>
> > Troubles with the list: <ma...@jakarta.apache.org>
> >
> >
>
> --
> To unsubscribe: <ma...@jakarta.apache.org>
> For additional commands: <ma...@jakarta.apache.org>
> Troubles with the list: <ma...@jakarta.apache.org>
Re: Memory Realm - Redirect to NULL ??
Posted by Sunhild Copony <su...@inovit.de>.
Hi again,
I think I found a semi-solution!
What remains is the last problem, but just for Netscape on PC - IE is ok and
Solaris too.
(... to restart the browser is not enought. Only restarting Tomcat helps.)
Please excuse me, I know it doesn't have anything to do with Tomcat but with
the browser, but maybe you have some idea whats wrong there.
Thanks a lot for explaining and giving the right hint!!!
Sunny
"Craig R. McClanahan" schrieb:
> The first important issue -- all paths within web.xml are relative to the
> context root, not the server root. So, the first thing to do is change
>
> <url-pattern>/webadmin/WEB-INF/*</url-pattern>
>
> to
>
> <url-pattern>/WEB-INF/*</url-pattern>
>
> The second important issue -- the servlet container already protects all
> URLs that have /WEB-INF in them. To prove it, try this from your browser:
>
> http://localhost:8080/webadmin/WEB-INF/web.xml
>
> and you will get a "forbidden" error back.
>
> The third important issue -- you want to express URL patterns based on the
> URL submitted by the browser, not where the classes are loaded from. So,
> if you are trying to protect a URL like this:
>
> http://localhost:8080/webadmin/servlet/MyServlet
>
> then the real URL pattern you want to use is probably:
>
> <url-pattern>/servlet/*</url-pattern>
>
> Craig McClanahan
>
> On Mon, 12 Nov 2001, Sunhild Copony wrote:
>
> > Date: Mon, 12 Nov 2001 13:03:01 +0100
> > From: Sunhild Copony <su...@inovit.de>
> > Reply-To: Tomcat Users List <to...@jakarta.apache.org>
> > To: tomcat-user@jakarta.apache.org
> > Subject: Memory Realm - Redirect to NULL ??
> >
> > Hi all,
> >
> > refering to:
> > Re: form based login
> > From: Craig R. McClanahan
> > Date: Sun, 16 Sep 2001 19:14:43 -0700
> >
> > I read what Craig wrote to this problem - but I don't have any directive
> > for cookies in server.xml (and have one more question)
> > In the other points I have the same problem like Pero: twice call to
> > login.jsp and redirect to NULL after succesful authentification. I tried
> > the same login.jsp; error.jsp is called for unvalid users...
> >
> > I tried to access from the server or from a client - allways the same.
> > I think too that its a problem of my configuration, maybe everyone sees
> > it, except me!!
> >
> > And I have another problem: the protection doesn't exist??!! When I
> > call one of the .jsps from webadmin, (without login) the servlets from
> > WEB-INF/classes/ are executed - and exactly that's I wanted to avoid...
> >
> >
> > Thanks for any help!
> > Sunny
> >
> >
> > Here's my configuration:
> >
> > server.xml
> > <!-- WebAdmin Context -->
> > <Context path="/webadmin" docBase="webadmin" debug="99"
> > reloadable="true">
> > <Logger className="org.apache.catalina.logger.FileLogger"
> > prefix="localhost_webadmin_log." suffix=".txt"
> > timestamp="true"/>
> > <Environment name="maxExemptions" type="java.lang.Integer"
> > value="15"/>
> > <Parameter name="context.param.name"
> > value="context.param.value"override="false"/>
> > <Resource name="mail/Session" auth="Container"
> > type="javax.mail.Session"/>
> > <ResourceParams name="mail/session">
> > <parameter>
> > <name>mail.smtp.host</name>
> > <value>localhost</value>
> > </parameter>
> > </ResourceParams>
> > </Context>
> >
> > -------------------------------------------
> >
> > web.xml (in my webapps/webadmin/WEB-INF)
> >
> > <!-- WebAdmin - web.xml -->
> >
> > <web-app>
> > ...
> > <security-constraint>
> > <display-name>Webadmin Security Constraint</display-name>
> > <web-resource-collection>
> > <web-resource-name>Protected Area</web-resource-name>
> > <!-- Define the context-relative URL(s) to be protected -->
> > <url-pattern>/webadmin/WEB-INF/*</url-pattern>
> > <!-- If you list http methods, only those methods are protected -->
> > <http-method>DELETE</http-method>
> > <http-method>GET</http-method>
> > <http-method>POST</http-method>
> > <http-method>PUT</http-method>
> > </web-resource-collection>
> > <auth-constraint>
> > <!-- Anyone with one of the listed roles may access this area
> > -->
> > <role-name>tomcat</role-name>
> > <role-name>role1</role-name>
> > </auth-constraint>
> > </security-constraint>
> >
> > <!-- Default login configuration uses form-based authentication -->
> > <login-config>
> > <auth-method>FORM</auth-method>
> > <realm-name>Webadmin Form-Based Authentication Area</realm-name>
> > <form-login-config>
> > <form-login-page>/login.jsp</form-login-page>
> > <form-error-page>/error.jsp</form-error-page>
> > </form-login-config>
> > </login-config>
> >
> > </web-app>
> >
> > [putting into "context-relative URL(s) to be protected" just
> > webadmin/WEB-INF I thought to enable access to webadmin/login.jsp...,
> > but not to webadmin/WEB-INF/...]
> >
> > ----------------------------------
> >
> > tomcat_user.xml (unchanged)
> >
> > <tomcat-users>
> > <user name="tomcat" password="tomcat" roles="tomcat" />
> >
> > ----------------------------------
> >
> > tomcat/conf/web.xml is unchanged
> >
> > ----------------------------------
> >
> > index.jsp changed into:
> >
> > <%
> > if (request.getParameter("logoff") != null) {
> > session.invalidate();
> > response.sendRedirect("index.jsp");
> > return;
> > }
> > %>
> >
> > <!DOCTYPE HTML PUBLIC '-//W3C//DTD HTML 3.2//EN'>
> > <html>
> > <head><title>INO WebAdmin</title></head>
> >
> > <frameset cols="20%,80%">
> > <frame src="treeframe.jsp" name=Treefenster>
> > <frame src="statusrf.jsp" name=Rightfenster>
> > </frameset>
> >
> > <body>
> > </body>
> > </html>
> >
> > *************************
> > LOG:
> >
> > localhost_webadmin_log...
> >
> > 2001-11-12 11:01:04 Authenticator[/webadmin]: Security checking request
> > GET /webadmin/login.jsp
> > 2001-11-12 11:01:04 Authenticator[/webadmin]: Checking constraint
> > 'SecurityConstraint[Protected Area]' against GET /login.jsp --> false
> > 2001-11-12 11:01:04 Authenticator[/webadmin]: No applicable constraint
> > located
> > 2001-11-12 11:01:04 Authenticator[/webadmin]: Not subject to any
> > constraint
> > 2001-11-12 11:01:04 StandardContext[/webadmin]: Mapping
> > contextPath='/webadmin' with requestURI='/webadmin/login.jsp' and
> > relativeURI='/login.jsp'
> > 2001-11-12 11:01:04 StandardContext[/webadmin]: Decoded
> > relativeURI='/login.jsp'
> > 2001-11-12 11:01:04 StandardContext[/webadmin]: Trying exact match
> > 2001-11-12 11:01:04 StandardContext[/webadmin]: Trying prefix match
> > 2001-11-12 11:01:04 StandardContext[/webadmin]: Trying extension match
> >
> > 2001-11-12 11:01:04 StandardContext[/webadmin]: Mapped to servlet 'jsp'
> > with servlet path '/login.jsp' and path info 'null' and update=true
> > 2001-11-12 11:01:13 Authenticator[/webadmin]: Security checking request
> > POST /webadmin/j_security_check
> > 2001-11-12 11:01:13 Authenticator[/webadmin]: Authenticating username
> > 'tomcat'
> > 2001-11-12 11:01:13 Authenticator[/webadmin]: Authentication of 'tomcat'
> > was successful
> > 2001-11-12 11:01:13 Authenticator[/webadmin]: Redirecting to original
> > 'null'
> > 2001-11-12 11:01:13 Authenticator[/webadmin]: Failed authenticate()
> > test
> > 2001-11-12 11:01:13 Authenticator[/webadmin]: Security checking request
> > GET /webadmin/null
> > 2001-11-12 11:01:13 Authenticator[/webadmin]: Checking constraint
> > 'SecurityConstraint[Protected Area]' against GET /null --> false
> > 2001-11-12 11:01:13 Authenticator[/webadmin]: No applicable constraint
> > located
> > 2001-11-12 11:01:13 Authenticator[/webadmin]: Not subject to any
> > constraint
> > 2001-11-12 11:01:13 StandardContext[/webadmin]: Mapping
> > contextPath='/webadmin' with requestURI='/webadmin/null' and
> > relativeURI='/null'
> > 2001-11-12 11:01:13 StandardContext[/webadmin]: Decoded
> > relativeURI='/null'
> > 2001-11-12 11:01:13 StandardContext[/webadmin]: Trying exact match
> > 2001-11-12 11:01:13 StandardContext[/webadmin]: Trying prefix match
> > 2001-11-12 11:01:13 StandardContext[/webadmin]: Trying extension match
> >
> > 2001-11-12 11:01:13 StandardContext[/webadmin]: Trying default match
> > 2001-11-12 11:01:13 StandardContext[/webadmin]: Mapped to servlet
> > 'default' with servlet path '/null' and path info 'null' and update=true
> >
> > ----------------------------------
> >
> >
> >
> > --
> > To unsubscribe: <ma...@jakarta.apache.org>
> > For additional commands: <ma...@jakarta.apache.org>
> > Troubles with the list: <ma...@jakarta.apache.org>
> >
> >
>
> --
> To unsubscribe: <ma...@jakarta.apache.org>
> For additional commands: <ma...@jakarta.apache.org>
> Troubles with the list: <ma...@jakarta.apache.org>
--
To unsubscribe: <ma...@jakarta.apache.org>
For additional commands: <ma...@jakarta.apache.org>
Troubles with the list: <ma...@jakarta.apache.org>
Re: Memory Realm - Redirect to NULL ??
Posted by "Craig R. McClanahan" <cr...@apache.org>.
The first important issue -- all paths within web.xml are relative to the
context root, not the server root. So, the first thing to do is change
<url-pattern>/webadmin/WEB-INF/*</url-pattern>
to
<url-pattern>/WEB-INF/*</url-pattern>
The second important issue -- the servlet container already protects all
URLs that have /WEB-INF in them. To prove it, try this from your browser:
http://localhost:8080/webadmin/WEB-INF/web.xml
and you will get a "forbidden" error back.
The third important issue -- you want to express URL patterns based on the
URL submitted by the browser, not where the classes are loaded from. So,
if you are trying to protect a URL like this:
http://localhost:8080/webadmin/servlet/MyServlet
then the real URL pattern you want to use is probably:
<url-pattern>/servlet/*</url-pattern>
Craig McClanahan
On Mon, 12 Nov 2001, Sunhild Copony wrote:
> Date: Mon, 12 Nov 2001 13:03:01 +0100
> From: Sunhild Copony <su...@inovit.de>
> Reply-To: Tomcat Users List <to...@jakarta.apache.org>
> To: tomcat-user@jakarta.apache.org
> Subject: Memory Realm - Redirect to NULL ??
>
> Hi all,
>
> refering to:
> Re: form based login
> From: Craig R. McClanahan
> Date: Sun, 16 Sep 2001 19:14:43 -0700
>
> I read what Craig wrote to this problem - but I don't have any directive
> for cookies in server.xml (and have one more question)
> In the other points I have the same problem like Pero: twice call to
> login.jsp and redirect to NULL after succesful authentification. I tried
> the same login.jsp; error.jsp is called for unvalid users...
>
> I tried to access from the server or from a client - allways the same.
> I think too that its a problem of my configuration, maybe everyone sees
> it, except me!!
>
> And I have another problem: the protection doesn't exist??!! When I
> call one of the .jsps from webadmin, (without login) the servlets from
> WEB-INF/classes/ are executed - and exactly that's I wanted to avoid...
>
>
> Thanks for any help!
> Sunny
>
>
> Here's my configuration:
>
> server.xml
> <!-- WebAdmin Context -->
> <Context path="/webadmin" docBase="webadmin" debug="99"
> reloadable="true">
> <Logger className="org.apache.catalina.logger.FileLogger"
> prefix="localhost_webadmin_log." suffix=".txt"
> timestamp="true"/>
> <Environment name="maxExemptions" type="java.lang.Integer"
> value="15"/>
> <Parameter name="context.param.name"
> value="context.param.value"override="false"/>
> <Resource name="mail/Session" auth="Container"
> type="javax.mail.Session"/>
> <ResourceParams name="mail/session">
> <parameter>
> <name>mail.smtp.host</name>
> <value>localhost</value>
> </parameter>
> </ResourceParams>
> </Context>
>
> -------------------------------------------
>
> web.xml (in my webapps/webadmin/WEB-INF)
>
> <!-- WebAdmin - web.xml -->
>
> <web-app>
> ...
> <security-constraint>
> <display-name>Webadmin Security Constraint</display-name>
> <web-resource-collection>
> <web-resource-name>Protected Area</web-resource-name>
> <!-- Define the context-relative URL(s) to be protected -->
> <url-pattern>/webadmin/WEB-INF/*</url-pattern>
> <!-- If you list http methods, only those methods are protected -->
> <http-method>DELETE</http-method>
> <http-method>GET</http-method>
> <http-method>POST</http-method>
> <http-method>PUT</http-method>
> </web-resource-collection>
> <auth-constraint>
> <!-- Anyone with one of the listed roles may access this area
> -->
> <role-name>tomcat</role-name>
> <role-name>role1</role-name>
> </auth-constraint>
> </security-constraint>
>
> <!-- Default login configuration uses form-based authentication -->
> <login-config>
> <auth-method>FORM</auth-method>
> <realm-name>Webadmin Form-Based Authentication Area</realm-name>
> <form-login-config>
> <form-login-page>/login.jsp</form-login-page>
> <form-error-page>/error.jsp</form-error-page>
> </form-login-config>
> </login-config>
>
> </web-app>
>
> [putting into "context-relative URL(s) to be protected" just
> webadmin/WEB-INF I thought to enable access to webadmin/login.jsp...,
> but not to webadmin/WEB-INF/...]
>
> ----------------------------------
>
> tomcat_user.xml (unchanged)
>
> <tomcat-users>
> <user name="tomcat" password="tomcat" roles="tomcat" />
>
> ----------------------------------
>
> tomcat/conf/web.xml is unchanged
>
> ----------------------------------
>
> index.jsp changed into:
>
> <%
> if (request.getParameter("logoff") != null) {
> session.invalidate();
> response.sendRedirect("index.jsp");
> return;
> }
> %>
>
> <!DOCTYPE HTML PUBLIC '-//W3C//DTD HTML 3.2//EN'>
> <html>
> <head><title>INO WebAdmin</title></head>
>
> <frameset cols="20%,80%">
> <frame src="treeframe.jsp" name=Treefenster>
> <frame src="statusrf.jsp" name=Rightfenster>
> </frameset>
>
> <body>
> </body>
> </html>
>
> *************************
> LOG:
>
> localhost_webadmin_log...
>
> 2001-11-12 11:01:04 Authenticator[/webadmin]: Security checking request
> GET /webadmin/login.jsp
> 2001-11-12 11:01:04 Authenticator[/webadmin]: Checking constraint
> 'SecurityConstraint[Protected Area]' against GET /login.jsp --> false
> 2001-11-12 11:01:04 Authenticator[/webadmin]: No applicable constraint
> located
> 2001-11-12 11:01:04 Authenticator[/webadmin]: Not subject to any
> constraint
> 2001-11-12 11:01:04 StandardContext[/webadmin]: Mapping
> contextPath='/webadmin' with requestURI='/webadmin/login.jsp' and
> relativeURI='/login.jsp'
> 2001-11-12 11:01:04 StandardContext[/webadmin]: Decoded
> relativeURI='/login.jsp'
> 2001-11-12 11:01:04 StandardContext[/webadmin]: Trying exact match
> 2001-11-12 11:01:04 StandardContext[/webadmin]: Trying prefix match
> 2001-11-12 11:01:04 StandardContext[/webadmin]: Trying extension match
>
> 2001-11-12 11:01:04 StandardContext[/webadmin]: Mapped to servlet 'jsp'
> with servlet path '/login.jsp' and path info 'null' and update=true
> 2001-11-12 11:01:13 Authenticator[/webadmin]: Security checking request
> POST /webadmin/j_security_check
> 2001-11-12 11:01:13 Authenticator[/webadmin]: Authenticating username
> 'tomcat'
> 2001-11-12 11:01:13 Authenticator[/webadmin]: Authentication of 'tomcat'
> was successful
> 2001-11-12 11:01:13 Authenticator[/webadmin]: Redirecting to original
> 'null'
> 2001-11-12 11:01:13 Authenticator[/webadmin]: Failed authenticate()
> test
> 2001-11-12 11:01:13 Authenticator[/webadmin]: Security checking request
> GET /webadmin/null
> 2001-11-12 11:01:13 Authenticator[/webadmin]: Checking constraint
> 'SecurityConstraint[Protected Area]' against GET /null --> false
> 2001-11-12 11:01:13 Authenticator[/webadmin]: No applicable constraint
> located
> 2001-11-12 11:01:13 Authenticator[/webadmin]: Not subject to any
> constraint
> 2001-11-12 11:01:13 StandardContext[/webadmin]: Mapping
> contextPath='/webadmin' with requestURI='/webadmin/null' and
> relativeURI='/null'
> 2001-11-12 11:01:13 StandardContext[/webadmin]: Decoded
> relativeURI='/null'
> 2001-11-12 11:01:13 StandardContext[/webadmin]: Trying exact match
> 2001-11-12 11:01:13 StandardContext[/webadmin]: Trying prefix match
> 2001-11-12 11:01:13 StandardContext[/webadmin]: Trying extension match
>
> 2001-11-12 11:01:13 StandardContext[/webadmin]: Trying default match
> 2001-11-12 11:01:13 StandardContext[/webadmin]: Mapped to servlet
> 'default' with servlet path '/null' and path info 'null' and update=true
>
> ----------------------------------
>
>
>
> --
> To unsubscribe: <ma...@jakarta.apache.org>
> For additional commands: <ma...@jakarta.apache.org>
> Troubles with the list: <ma...@jakarta.apache.org>
>
>
--
To unsubscribe: <ma...@jakarta.apache.org>
For additional commands: <ma...@jakarta.apache.org>
Troubles with the list: <ma...@jakarta.apache.org>