You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@tomcat.apache.org by Rob Hunt <ro...@comcast.net> on 2007/11/15 17:16:43 UTC

[TC 5.0.25] Posting directly to j_security_check

I have a form on a page that posts directly to j_security_check:
 
http://www.site.com/index.htm
    <form method="post" action="https://secure.site.com/j_security_check">
        <input type="text" name="j_username" />
        <input type="password" name="j_password" />
    </form>
 
 
When the POST request is received by secure.site.com, it kicks back a 408
response code and this message:
"The time allowed for the login process has been exceeded. If you wish to
continue you must either click back twice and re-click the link you
requested or close and re-open your browser"
 
Now I know it's choking because no session has been established.  But why
doesn't j_security_check authenticate first and then attempt to set
session/cookies?  Does anyone have a FORM based login workaround for this?
 
 
 
Second question, what source module implements j_security_check?

Re: [TC 5.0.25] Posting directly to j_security_check

Posted by Filip Hanik - Dev Lists <de...@hanik.com>.

David Smith wrote:
> j_security_check should never be directly referenced.  Clients should 
> be requesting a secured resource.  Tomcat then saves the request and 
> forwards the client to the login page (specified in WEB-INF/web.xml) 
> which in turn submit's authentication information to 
> j_security_check.  Then tomcat restore's the original request and 
> forwards the client to the originally requested resource.  This is all 
> per the servlet spec.
>
> In otherwords, don't have anyone attempt to use your login page 
> directly as it won't work.  When the login page hits j_security_check, 
> tomcat won't have a stored request, assume an old, timed-out login 
> attempt and respond as you've described.
correct, take a look at the Tomcat examples
Filip
>
> --David
>
> Rob Hunt wrote:
>
>> I have a form on a page that posts directly to j_security_check:
>>
>> http://www.site.com/index.htm
>>    <form method="post" 
>> action="https://secure.site.com/j_security_check">
>>        <input type="text" name="j_username" />
>>        <input type="password" name="j_password" />
>>    </form>
>>
>>
>> When the POST request is received by secure.site.com, it kicks back a 
>> 408
>> response code and this message:
>> "The time allowed for the login process has been exceeded. If you 
>> wish to
>> continue you must either click back twice and re-click the link you
>> requested or close and re-open your browser"
>>
>> Now I know it's choking because no session has been established.  But 
>> why
>> doesn't j_security_check authenticate first and then attempt to set
>> session/cookies?  Does anyone have a FORM based login workaround for 
>> this?
>>
>>
>>
>> Second question, what source module implements j_security_check?
>>
>>  
>>
>
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
>


---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: [TC 5.0.25] Posting directly to j_security_check

Posted by David Smith <dn...@cornell.edu>.

j_security_check should never be directly referenced.  Clients should be 
requesting a secured resource.  Tomcat then saves the request and 
forwards the client to the login page (specified in WEB-INF/web.xml) 
which in turn submit's authentication information to j_security_check.  
Then tomcat restore's the original request and forwards the client to 
the originally requested resource.  This is all per the servlet spec.

In otherwords, don't have anyone attempt to use your login page directly 
as it won't work.  When the login page hits j_security_check, tomcat 
won't have a stored request, assume an old, timed-out login attempt and 
respond as you've described.

--David

Rob Hunt wrote:

>I have a form on a page that posts directly to j_security_check:
> 
>http://www.site.com/index.htm
>    <form method="post" action="https://secure.site.com/j_security_check">
>        <input type="text" name="j_username" />
>        <input type="password" name="j_password" />
>    </form>
> 
> 
>When the POST request is received by secure.site.com, it kicks back a 408
>response code and this message:
>"The time allowed for the login process has been exceeded. If you wish to
>continue you must either click back twice and re-click the link you
>requested or close and re-open your browser"
> 
>Now I know it's choking because no session has been established.  But why
>doesn't j_security_check authenticate first and then attempt to set
>session/cookies?  Does anyone have a FORM based login workaround for this?
> 
> 
> 
>Second question, what source module implements j_security_check?
>
>  
>

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: [TC 5.0.25] Posting directly to j_security_check

Posted by Christopher Schultz <ch...@christopherschultz.net>.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Rob,

Rob Hunt wrote:
> I have a form on a page that posts directly to j_security_check:

As others have pointed out, you can't do that.

If you use a separate authentication mechanism, you can. See the
securityfilter project (http://securityfilter.sourceforge.net/) for a
servlet filter that allows direct-posting and lots of other goodies.

- -chris

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFHPJss9CaO5/Lv0PARAl/GAJ4/Ypo7DbTHfSEYGdFrTtuu+3/YSwCgwGX/
jMlfoozn2pF75KVAYVsxJ6k=
=l0q4
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org