You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@tomcat.apache.org by Brett Mason <b....@adinstruments.com> on 2012/07/20 04:37:33 UTC

Forms authentication without cookies in 6.0.33

Hi there,

We have an application which uses the forms authentication provided by
Servlet specification and is configured store session IDs in the URL rather
than using cookies. This configuration has been working as expected under
Tomcat 6.0.32 and earlier.

On upgrading to Tomcat 6.0.33 or 6.0.35 this combination no longer works as
expected. Specifically, when a user initially submits the login form they
are immediately returned back to the form-login-page. Submitting the login
form a second time allows them to log in. The only difference I have been
able to spot between the first and second form submission is for the second
submission the request attribute "javax.servlet.forward.request_uri" now
has the jsessionid appended to the URL.

After a bit of reading I'm not sure if this change is a bug, perhaps
introduced by the changes to path parameter handling as mentioned in these
threads:
  http://markmail.org/thread/2yzusfukitalkhyx
  http://tomcat.markmail.org/thread/ykx72wcuzcmiyujz

Or if we are using an unsupported configuration which is suggested by
section SRV.12.5.3.1 of the Servlet specification v2.5.


Could someone please clarify if Tomcat supports forms authentication
without cookies? If it is intended to be a supported configuration I'm
happy to submit a bug report and can provided a simple standalone test app
to reproduce the problem.

Thanks,
Brett.


Environment details:
- Windows 7 64-bit, Oracle JVM 1.6.0u32 & 1.7.0u4.
- Debian 5 32-bit, Oracle JVM 1.6.0u32.

Re: Forms authentication without cookies in 6.0.33

Posted by Brett Mason <b....@adinstruments.com>.

On Fri, Jul 20, 2012 at 7:06 PM, Pid * <pi...@pidster.com> wrote:

> On 20 Jul 2012, at 03:38, Brett Mason <b....@adinstruments.com> wrote:
> > Could someone please clarify if Tomcat supports forms authentication
> > without cookies? If it is intended to be a supported configuration I'm
> > happy to submit a bug report and can provided a simple standalone test
> app
> > to reproduce the problem.
>
> Form auth should work regardless of where the session id lives.
>
> Is the login form an HTML or JSP page? A session must be created
> before you can login, it sounds like Tomcat isn't seeing one during
> the first login.
>
>
The login page is a JSP (via a Servlet). We use the JSTL <c:url> tag to
generate the post URL which appears to be adding a valid sessionID:

<form method="post" action="<c:url value="j_security_check"/>">

Thanks,
Brett.

Re: Forms authentication without cookies in 6.0.33

Posted by Pid * <pi...@pidster.com>.

On 20 Jul 2012, at 03:38, Brett Mason <b....@adinstruments.com> wrote:

> Hi there,
>
> We have an application which uses the forms authentication provided by
> Servlet specification and is configured store session IDs in the URL rather
> than using cookies. This configuration has been working as expected under
> Tomcat 6.0.32 and earlier.
>
> On upgrading to Tomcat 6.0.33 or 6.0.35 this combination no longer works as
> expected. Specifically, when a user initially submits the login form they
> are immediately returned back to the form-login-page. Submitting the login
> form a second time allows them to log in. The only difference I have been
> able to spot between the first and second form submission is for the second
> submission the request attribute "javax.servlet.forward.request_uri" now
> has the jsessionid appended to the URL.
>
> After a bit of reading I'm not sure if this change is a bug, perhaps
> introduced by the changes to path parameter handling as mentioned in these
> threads:
>  http://markmail.org/thread/2yzusfukitalkhyx
>  http://tomcat.markmail.org/thread/ykx72wcuzcmiyujz
>
> Or if we are using an unsupported configuration which is suggested by
> section SRV.12.5.3.1 of the Servlet specification v2.5.
>
>
> Could someone please clarify if Tomcat supports forms authentication
> without cookies? If it is intended to be a supported configuration I'm
> happy to submit a bug report and can provided a simple standalone test app
> to reproduce the problem.

Form auth should work regardless of where the session id lives.

Is the login form an HTML or JSP page? A session must be created
before you can login, it sounds like Tomcat isn't seeing one during
the first login.


p



>
> Thanks,
> Brett.
>
>
> Environment details:
> - Windows 7 64-bit, Oracle JVM 1.6.0u32 & 1.7.0u4.
> - Debian 5 32-bit, Oracle JVM 1.6.0u32.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Forms authentication without cookies in 6.0.33

Posted by Brett Mason <b....@adinstruments.com>.

On Fri, Jul 20, 2012 at 7:20 PM, Mark Thomas <ma...@apache.org> wrote:

> Brett Mason <b....@adinstruments.com> wrote:
> >Could someone please clarify if Tomcat supports forms authentication
> >without cookies?
>
> It should.
>
> > If it is intended to be a supported configuration I'm
> >happy to submit a bug report and can provided a simple standalone test
> >app
> >to reproduce the problem.
>
> Please. The best standalone test apps are those supplied as WARs with the
> source for any classes (if any - ideally none) included in the WAR. Source
> trees we have to build are usually a pain as we rarely have the right
> combination of build tools and settings immediately to hand.

Thanks for the confirmation.

I've submitted the bug and test app as:
https://issues.apache.org/bugzilla/show_bug.cgi?id=53584 . I've kept it to
pure JSPs with no additional libraries so it will hopefully be easy to
reproduce.

Thanks,
Brett.

Re: Forms authentication without cookies in 6.0.33

Posted by Mark Thomas <ma...@apache.org>.

Brett Mason <b....@adinstruments.com> wrote:
>Could someone please clarify if Tomcat supports forms authentication
>without cookies?

It should.

> If it is intended to be a supported configuration I'm
>happy to submit a bug report and can provided a simple standalone test
>app
>to reproduce the problem.

Please. The best standalone test apps are those supplied as WARs with the source for any classes (if any - ideally none) included in the WAR. Source trees we have to build are usually a pain as we rarely have the right combination of build tools and settings immediately to hand.

Mark

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org