You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by bu...@apache.org on 2003/10/16 16:12:31 UTC

DO NOT REPLY [Bug 23865] New: - Cannot access admin webapp from a host other than 'localhost'

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG 
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://nagoya.apache.org/bugzilla/show_bug.cgi?id=23865>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND 
INSERTED IN THE BUG DATABASE.

http://nagoya.apache.org/bugzilla/show_bug.cgi?id=23865

Cannot access admin webapp from a host other than 'localhost'

           Summary: Cannot access admin webapp from a host other than
                    'localhost'
           Product: Tomcat 4
           Version: 4.1.27
          Platform: Sun
        OS/Version: Solaris
            Status: NEW
          Severity: Normal
          Priority: Other
         Component: Webapps:Administration
        AssignedTo: tomcat-dev@jakarta.apache.org
        ReportedBy: tdecarlo@ssi-corp.com


The admin webapp is only accessible from the 'localhost'. 
An attempt to access the admin webapp from another host produces 
the following error after a successful login to the admin webapp.... 
 
   HTTP Status 400 - Invalid direct reference to form login page 
   type Status report 
   message Invalid direct reference to form login page 
   description The request sent by the client was syntactically incorrect 
   (Invalid direct reference to form login page). 
   Apache Tomcat/4.1.27 
 
It appears that the 'redirection to original' does not work, however 
I don't quite understand why the client host would affect this. 
 
Techincal Details regarding the problem....... 
 
There is a comment in the admin.xml file specifying that remote access 
can be adjusted via the org.apache.catalina.valves.RemoteAddrValve 
however I do not believe this is the issue since it appears that after 
'adjusting' the RemoteAddrValve, one does not even get the admin 
login page. 
 
I set debug to 99 in admin.xml....... 
 
Using a browser on a remote host..... 
Clicking on the Tomcat Administrator link takes me to the admin 
login page and produces the following in the admin log....... 
 
**** Excerpt from localhost_admin_log **** 
 
2003-10-16 09:59:38 Authenticator[/admin]: Security checking request GET 
/admin 
2003-10-16 09:59:38 Authenticator[/admin]:   Checking constraint 
'SecurityConstraint[Protected Area]' against GET  --> false 
2003-10-16 09:59:38 Authenticator[/admin]:   No applicable constraint located 
2003-10-16 09:59:38 Authenticator[/admin]:  Not subject to any constraint 
2003-10-16 09:59:38 StandardContext[/admin]: Mapping contextPath='/admin' with 
requestURI='/admin' and relativeURI='' 
2003-10-16 09:59:38 StandardContext[/admin]:   Trying exact match 
2003-10-16 09:59:38 StandardContext[/admin]:   Trying prefix match 
2003-10-16 09:59:38 StandardContext[/admin]:   Trying extension match 
2003-10-16 09:59:38 StandardContext[/admin]:   Trying default match 
2003-10-16 09:59:38 StandardContext[/admin]:  Mapped to servlet 'default' with 
servlet path '' and path info 'null' and update=true 
2003-10-16 09:59:38 Authenticator[/admin]: Security checking request GET 
/admin/ 
2003-10-16 09:59:38 Authenticator[/admin]:   Checking constraint 
'SecurityConstraint[Protected Area]' against GET / --> false 
2003-10-16 09:59:38 Authenticator[/admin]:   No applicable constraint located 
2003-10-16 09:59:38 Authenticator[/admin]:  Not subject to any constraint 
2003-10-16 09:59:38 StandardContext[/admin]: Mapping contextPath='/admin' with 
requestURI='/admin/' and relativeURI='/' 
2003-10-16 09:59:38 StandardContext[/admin]:   Trying exact match 
2003-10-16 09:59:38 StandardContext[/admin]:   Trying prefix match 
2003-10-16 09:59:38 StandardContext[/admin]:   Trying extension match 
2003-10-16 09:59:38 StandardContext[/admin]:   Trying default match 
2003-10-16 09:59:38 StandardContext[/admin]:  Mapped to servlet 'default' with 
servlet path '/' and path info 'null' and update=true 
2003-10-16 09:59:39 Authenticator[/admin]: Security checking request GET 
/admin/index.jsp 
2003-10-16 09:59:39 Authenticator[/admin]:   Checking constraint 
'SecurityConstraint[Protected Area]' against GET /index.jsp --> true 
2003-10-16 09:59:39 Authenticator[/admin]:  Subject to constraint 
SecurityConstraint[Protected Area] 
2003-10-16 09:59:39 Authenticator[/admin]:  Calling checkUserData() 
2003-10-16 09:59:39 Authenticator[/admin]:   User data constraint has no 
restrictions 
2003-10-16 09:59:39 Authenticator[/admin]:  Calling authenticate() 
2003-10-16 09:59:39 Authenticator[/admin]: Save request in session 
'7B93E21E9FBE96CE8500B8DA438FA72D' 
2003-10-16 09:59:39 Authenticator[/admin]: Redirect to login page 
'/admin/login.jsp' 
2003-10-16 09:59:39 Authenticator[/admin]:  Failed authenticate() test 
2003-10-16 09:59:40 Authenticator[/admin]: Security checking request GET 
/admin/login.jsp 
2003-10-16 09:59:40 Authenticator[/admin]:   Checking constraint 
'SecurityConstraint[Protected Area]' against GET /login.jsp --> true 
2003-10-16 09:59:40 Authenticator[/admin]:  Subject to constraint 
SecurityConstraint[Protected Area] 
2003-10-16 09:59:40 Authenticator[/admin]:  Calling checkUserData() 
2003-10-16 09:59:40 Authenticator[/admin]:   User data constraint has no 
restrictions 
2003-10-16 09:59:40 Authenticator[/admin]:  Calling authenticate() 
2003-10-16 09:59:40 Authenticator[/admin]: Requesting login page normally 
2003-10-16 09:59:40 Authenticator[/admin]:  Calling accessControl() 
2003-10-16 09:59:40 Authenticator[/admin]:  Allow access to login page 
/admin/login.jsp 
2003-10-16 09:59:40 Authenticator[/admin]:  Successfully passed all security 
constraints 
2003-10-16 09:59:40 StandardContext[/admin]: Mapping contextPath='/admin' with 
requestURI='/admin/login.jsp' and relativeURI='/login.jsp' 
2003-10-16 09:59:40 StandardContext[/admin]:   Trying exact match 
2003-10-16 09:59:40 StandardContext[/admin]:   Trying prefix match 
2003-10-16 09:59:40 StandardContext[/admin]:   Trying extension match 
2003-10-16 09:59:40 StandardContext[/admin]:  Mapped to servlet 'jsp' with 
servlet path '/login.jsp' and path info 'null' and update=true 
 
 
 
 
Entering a valid user & password in the login page, produces the 400 error 
and the following appears in the admin log..... 
 
 
 
**** Excerpt from localhost_admin_log **** 
 
2003-10-16 10:02:23 Authenticator[/admin]: Security checking request POST 
/admin/j_security_check 
2003-10-16 10:02:23 Authenticator[/admin]: Authenticating username 'td' 
2003-10-16 10:02:23 Authenticator[/admin]: Authentication of 'td' was 
successful 
2003-10-16 10:02:23 Authenticator[/admin]: Redirecting to original 'null' 
2003-10-16 10:02:23 Authenticator[/admin]:  Failed authenticate() test 
 
 
Hitting login through a browser running on localhost produces the 
following log output.... 
 
**** Excerpt from localhost_admin_log **** 
 
2003-10-16 10:04:07 Authenticator[/admin]: Security checking request POST 
/admin/j_security_check 
2003-10-16 10:04:07 Authenticator[/admin]: Authenticating username 'td' 
2003-10-16 10:04:07 Authenticator[/admin]: Authentication of 'td' was 
successful 
2003-10-16 10:04:07 Authenticator[/admin]: Redirecting to original 
'/admin/index.jsp'

---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org