You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Amol Upadhye <Am...@S1.com> on 2006/04/18 15:21:16 UTC
RE: Post request to 'j_security_check' after tomcat restart or se
ssio n timeout produces error 400
Anybody know about the problem I have as described in below email?
Thanks,
Amol
-----Original Message-----
From: Amol Upadhye [mailto:Amol.Upadhye@S1.com]
Sent: Thursday, April 13, 2006 2:25 PM
To: users@tomcat.apache.org
Subject: Post request to 'j_security_check' after tomcat restart or sessio n
timeout produces error 400
Hi,
I am using Tomcat 5.0.28 and Form based authentication.
Here are steps to produce my problem,
1. Access secured page -> tomcat forwards request to login page
2. Restart tomcat server or wait till session expires, keep login page as it
is, do not close browser window.
3. After tomcat restarts, with same login page try to login
In this case even if login information is correct tomcat throws error 400.
This is because it looses the URL to which to forward to after
authentication.
What I want is to forward the request to the desired page (may be
preconfigured).
Is there a way to configure so that control is forwarded to the configured
page in this case?
Current I have Error 400 handler in which if requested URL is
'j_security_check' then I redirect to the desired page (secured page). But
tomcat somehow doesn't keep authenticated principal and again presents login
screen.
Any help is very much appreciated.
Thanks,
Amol
Re: Post request to 'j_security_check' after tomcat restart or se
ssio n timeout produces error 400
Posted by David Delbecq <de...@oma.be>.
Hi,
First, you must understand in form based login, access to the form
should never be done directly, that's because the container can accept a
form login only if before the user tried to access an area requiring
authentification. In simple terms, you see the form because the
container has decided it required your credentials, not because you just
wanted to log in.
Now in your case, after a session expire, when the user submit the form,
tomcat just notice it gets an access to j_security_check while user
session (which has been reset) show no track of a previous attempt to
access a secure area needing authentification. The container then
concludes naturally it is an attempt at accessing directly the
j_security_check and just ignore the call, sending a 400.
At this step, tomcat has not saved the user/pass.
In your error handler you redirect to secure area. Then naturally,
tomcat now trigger the code requesting credential and show again the
login form.
So there is no solution to solve your problem, except perhaps increasing
session timeout to limit the number of 'show form - timeout - submit form'
The case of tomcat shutting down my be due to error are persisting the
sessions (See output at tomcat shutdown/startup and check for session
persistence errors)
regards,
David Delbecq
Amol Upadhye a écrit :
>Anybody know about the problem I have as described in below email?
>
>Thanks,
>Amol
>
>-----Original Message-----
>From: Amol Upadhye [mailto:Amol.Upadhye@S1.com]
>Sent: Thursday, April 13, 2006 2:25 PM
>To: users@tomcat.apache.org
>Subject: Post request to 'j_security_check' after tomcat restart or sessio n
>timeout produces error 400
>
>Hi,
>
>I am using Tomcat 5.0.28 and Form based authentication.
>Here are steps to produce my problem,
>1. Access secured page -> tomcat forwards request to login page
>2. Restart tomcat server or wait till session expires, keep login page as it
>is, do not close browser window.
>3. After tomcat restarts, with same login page try to login
>
>In this case even if login information is correct tomcat throws error 400.
>This is because it looses the URL to which to forward to after
>authentication.
>What I want is to forward the request to the desired page (may be
>preconfigured).
>Is there a way to configure so that control is forwarded to the configured
>page in this case?
>Current I have Error 400 handler in which if requested URL is
>'j_security_check' then I redirect to the desired page (secured page). But
>tomcat somehow doesn't keep authenticated principal and again presents login
>screen.
>
>Any help is very much appreciated.
>
>Thanks,
>Amol
>
>
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org