You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@tomcat.apache.org by Alexander Soudackov <so...@chem.psu.edu> on 2009/02/25 03:42:43 UTC

tomcat webapp FORM authentication problem

Hi everybody,

I have a very annoying problem with a secured folder in my tomcat web 
application. The most amazing is that the problems do not occur when I'm 
using BASIC authentication, but only when FORM authentication. Here is 
what I have configured (mywebapp is the name of the folder with my web 
application, this folder is in ${TOMCAT}/webapps; protectedarea is the 
name of the protected folder):

- JDBCRealm is configured in server.xml (tested, working properly);

- security-constrained configured in 
${TOMCAT}/webapps/mywebapp/WEB-INF/web.xml :

<security-constraint> 

    <display-name>mywebapp Security Constraint</display-name> 

    <web-resource-collection> 

       <web-resource-name>mywebapp</web-resource-name> 

       <url-pattern>/protectedarea/*</url-pattern> 

       <http-method>DELETE</http-method> 

       <http-method>GET</http-method> 

       <http-method>POST</http-method> 

       <http-method>PUT</http-method> 

    </web-resource-collection> 

    <auth-constraint> 

       <role-name>tomcat</role-name> 

    </auth-constraint> 

</security-constraint> 

<login-config> 

    <auth-method>FORM</auth-method> 

    <realm-name>mywebapp Application</realm-name> 

    <form-login-config> 

       <form-login-page>/protectedarea/login.html</form-login-page> 

       <form-error-page>/protectedarea/error.html</form-error-page> 

    </form-login-config> 

</login-config> 


- login.html has the following login form (stripped of formatting here 
for clarity):

<form action="j_security_check" method="POST">
E-mail address: <input type="text" name="j_username"/>
Password:       <input type="password" name="j_password"/>
<input type="submit" value="Login"/><input type="reset" value="Clear"/> 

</form>

- I also have subdirectories (with images, javascripts, css) in 
mywebapp/protectedarea. The html files in protectedarea (index.html, 
login.html, and error.html) refer to the contents of these 
subdirectories when loading javascripts, css, and images.

NOW,

The problem #1 is: login.html displays a form BUT there is NO images, NO 
CSS formatting, and Javascript! The page displays just a raw form.

The problem #2 is: after successful authentication the browser shows the 
SOURCE of the first javascript referenced in index.html, instead of 
index.html. The strangest thing is that after reloading the page 
(index.html) everything displays fine, including the login.html.

The problems reoccur after cleaning the cash and cookies of the browser. 
It looks like there is a temporary problem with context which gets 
resolved somehow after the first login attempt.

Please, could somebody give me some advise/explanation, I have NO IDEA 
what is happening. Again, the BASIC authentication works fine, but I 
don't like this pop-up window and would like to use my own login form.

Thanks a lot,
Alex


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: tomcat webapp FORM authentication problem

Posted by Alexander Soudakov <so...@chem.psu.edu>.

Thanks. I thought it should be something stupid and obvious... Here we  
are. Embrassing, but I guess I deserved that. Everything works now, I  
after I put the resources outside the protected area. And from now on,  
I will treat my browser with more respect, and I will give back its  
cache and cookies.

Thanks again,
Alex


On Feb 24, 2009, at 10:13 PM, Caldarale, Charles R wrote:

>> From: Alexander Soudackov [mailto:souda@chem.psu.edu]
>> Subject: tomcat webapp FORM authentication problem
>>
>> I have a very annoying problem with a secured folder
>> in my tomcat web application.
>
> You could start the problem description by telling us the version of  
> Tomcat you're using.  It's likely not pertinent for this particular  
> issue, but it's annoying to hide such information.
>
>> The problem #1 is: login.html displays a form BUT there
>> is NO images, NO CSS formatting, and Javascript!
>
> Think about it: you've declared the resources noted as being  
> protected, authentication has not occurred, yet somehow you're  
> expecting Tomcat to magically ignore the protection settings when  
> the browser requests these resources?  You can't have it both ways -  
> you need to place the resources the form needs outside of the  
> protected area.
>
>> The problem #2 is: after successful authentication the
>> browser shows the SOURCE of the first javascript referenced
>> in index.html, instead of index.html
>
> Try fixing the first problem and see if the second one disappears.
>
>> The problems reoccur after cleaning the cash and cookies of
>> the browser.
>
> You robbed your browser?  Or did you clean out its cache?
>
> - Chuck
>
>
> THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE  
> PROPRIETARY MATERIAL and is thus for use only by the intended  
> recipient. If you received this in error, please contact the sender  
> and delete the e-mail and its attachments from all computers.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>

==================================
Alexander Soudackov
Research Assistant Professor
Department of Chemistry
Pennsylvania State University
104 Chemistry Bldg
University Park, PA 16802
----------------------------------
Phone:	(814) 865-1354
Fax: 	(814) 863-5319
E-mail: souda@chem.psu.edu
http://www.personal.psu.edu/avs10
==================================




---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

RE: tomcat webapp FORM authentication problem

Posted by "Caldarale, Charles R" <Ch...@unisys.com>.

> From: Alexander Soudackov [mailto:souda@chem.psu.edu]
> Subject: tomcat webapp FORM authentication problem
>
> I have a very annoying problem with a secured folder
> in my tomcat web application.

You could start the problem description by telling us the version of Tomcat you're using.  It's likely not pertinent for this particular issue, but it's annoying to hide such information.

> The problem #1 is: login.html displays a form BUT there
> is NO images, NO CSS formatting, and Javascript!

Think about it: you've declared the resources noted as being protected, authentication has not occurred, yet somehow you're expecting Tomcat to magically ignore the protection settings when the browser requests these resources?  You can't have it both ways - you need to place the resources the form needs outside of the protected area.

> The problem #2 is: after successful authentication the
> browser shows the SOURCE of the first javascript referenced
> in index.html, instead of index.html

Try fixing the first problem and see if the second one disappears.

> The problems reoccur after cleaning the cash and cookies of
> the browser.

You robbed your browser?  Or did you clean out its cache?

 - Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org