You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@tomcat.apache.org by Warren Crossing <wa...@imagination.net.nz> on 2001/01/04 06:54:58 UTC

form-error-page j_security_check ignored

hey,

i've had to debug these following class to get it going..
it just stopped on j_security_check when a incorrect username password combination was supplied.

sorry i can't update them myself.. maybe next time =D

release 4 milestone 5 src code

FormAuthenticator.class authenticate method 

....
if ( principal == null ) {
  request.setRequestURI(contextPath + config.getErrorPage());
------NEW LINE ----
  request.setMethod ("GET");
------END LINE -----
------MODIFIED LINE----
  return ( false ) ; 
------END MODIFY------
}
...

AuthenticatorBase.class invoke method

if (!authenticate(hrequest,hresponse,config)) {
...
-----REMOVE LINE-----
//return;
-----END REMOVE -----
}

Re: form-error-page j_security_check ignored

Posted by "Craig R. McClanahan" <Cr...@eng.sun.com>.

Warren Crossing wrote:

> hey,
>
> i've had to debug these following class to get it going..
> it just stopped on j_security_check when a incorrect username password combination was supplied.
>
> sorry i can't update them myself.. maybe next time =D
>
> release 4 milestone 5 src code
>

Warren,

It would be helpful for you to describe a little more detail about how you have your webapp set up
(what your login and error pages look like, and how you've got stuff configured in web.xml).  Even
more important, what is it about the current behavior that you think is not working correctly?  And
what do think the correct behavior is?

After we understand and agree on behavior, we can detrmine what changes (if any) are needed in the
code.

Also, the best way to post patches is to use the "unified diff" format, as described on the Jakarta
web site.  It is not at all clear from your posted patches exactly which lines get modified to what.

>
> FormAuthenticator.class authenticate method
>
> ....
> if ( principal == null ) {
>   request.setRequestURI(contextPath + config.getErrorPage());
> ------NEW LINE ----
>   request.setMethod ("GET");
> ------END LINE -----
> ------MODIFIED LINE----
>   return ( false ) ;
> ------END MODIFY------
> }
>

I do not see anywhere in the spec that the error page is guaranteed to be invoked with a GET.  Did I
miss something?  (Note -- if you are using a JSP page for the error page, this doesn't matter -- JSP
pages deal with GET and POST identically).

What is the purpose for modifying the return value?  At present, this logic correctly displays the
error page if you type in an invalid username or password.

> ...
>
> AuthenticatorBase.class invoke method
>
> if (!authenticate(hrequest,hresponse,config)) {
> ...
> -----REMOVE LINE-----
> //return;
> -----END REMOVE -----
> }
>

Same question -- what are you trying to accomplish here?

Craig McClanahan