You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by bu...@apache.org on 2003/10/16 16:12:31 UTC
DO NOT REPLY [Bug 23865] New: -
Cannot access admin webapp from a host other than 'localhost'
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://nagoya.apache.org/bugzilla/show_bug.cgi?id=23865>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND
INSERTED IN THE BUG DATABASE.
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=23865
Cannot access admin webapp from a host other than 'localhost'
Summary: Cannot access admin webapp from a host other than
'localhost'
Product: Tomcat 4
Version: 4.1.27
Platform: Sun
OS/Version: Solaris
Status: NEW
Severity: Normal
Priority: Other
Component: Webapps:Administration
AssignedTo: tomcat-dev@jakarta.apache.org
ReportedBy: tdecarlo@ssi-corp.com
The admin webapp is only accessible from the 'localhost'.
An attempt to access the admin webapp from another host produces
the following error after a successful login to the admin webapp....
HTTP Status 400 - Invalid direct reference to form login page
type Status report
message Invalid direct reference to form login page
description The request sent by the client was syntactically incorrect
(Invalid direct reference to form login page).
Apache Tomcat/4.1.27
It appears that the 'redirection to original' does not work, however
I don't quite understand why the client host would affect this.
Techincal Details regarding the problem.......
There is a comment in the admin.xml file specifying that remote access
can be adjusted via the org.apache.catalina.valves.RemoteAddrValve
however I do not believe this is the issue since it appears that after
'adjusting' the RemoteAddrValve, one does not even get the admin
login page.
I set debug to 99 in admin.xml.......
Using a browser on a remote host.....
Clicking on the Tomcat Administrator link takes me to the admin
login page and produces the following in the admin log.......
**** Excerpt from localhost_admin_log ****
2003-10-16 09:59:38 Authenticator[/admin]: Security checking request GET
/admin
2003-10-16 09:59:38 Authenticator[/admin]: Checking constraint
'SecurityConstraint[Protected Area]' against GET --> false
2003-10-16 09:59:38 Authenticator[/admin]: No applicable constraint located
2003-10-16 09:59:38 Authenticator[/admin]: Not subject to any constraint
2003-10-16 09:59:38 StandardContext[/admin]: Mapping contextPath='/admin' with
requestURI='/admin' and relativeURI=''
2003-10-16 09:59:38 StandardContext[/admin]: Trying exact match
2003-10-16 09:59:38 StandardContext[/admin]: Trying prefix match
2003-10-16 09:59:38 StandardContext[/admin]: Trying extension match
2003-10-16 09:59:38 StandardContext[/admin]: Trying default match
2003-10-16 09:59:38 StandardContext[/admin]: Mapped to servlet 'default' with
servlet path '' and path info 'null' and update=true
2003-10-16 09:59:38 Authenticator[/admin]: Security checking request GET
/admin/
2003-10-16 09:59:38 Authenticator[/admin]: Checking constraint
'SecurityConstraint[Protected Area]' against GET / --> false
2003-10-16 09:59:38 Authenticator[/admin]: No applicable constraint located
2003-10-16 09:59:38 Authenticator[/admin]: Not subject to any constraint
2003-10-16 09:59:38 StandardContext[/admin]: Mapping contextPath='/admin' with
requestURI='/admin/' and relativeURI='/'
2003-10-16 09:59:38 StandardContext[/admin]: Trying exact match
2003-10-16 09:59:38 StandardContext[/admin]: Trying prefix match
2003-10-16 09:59:38 StandardContext[/admin]: Trying extension match
2003-10-16 09:59:38 StandardContext[/admin]: Trying default match
2003-10-16 09:59:38 StandardContext[/admin]: Mapped to servlet 'default' with
servlet path '/' and path info 'null' and update=true
2003-10-16 09:59:39 Authenticator[/admin]: Security checking request GET
/admin/index.jsp
2003-10-16 09:59:39 Authenticator[/admin]: Checking constraint
'SecurityConstraint[Protected Area]' against GET /index.jsp --> true
2003-10-16 09:59:39 Authenticator[/admin]: Subject to constraint
SecurityConstraint[Protected Area]
2003-10-16 09:59:39 Authenticator[/admin]: Calling checkUserData()
2003-10-16 09:59:39 Authenticator[/admin]: User data constraint has no
restrictions
2003-10-16 09:59:39 Authenticator[/admin]: Calling authenticate()
2003-10-16 09:59:39 Authenticator[/admin]: Save request in session
'7B93E21E9FBE96CE8500B8DA438FA72D'
2003-10-16 09:59:39 Authenticator[/admin]: Redirect to login page
'/admin/login.jsp'
2003-10-16 09:59:39 Authenticator[/admin]: Failed authenticate() test
2003-10-16 09:59:40 Authenticator[/admin]: Security checking request GET
/admin/login.jsp
2003-10-16 09:59:40 Authenticator[/admin]: Checking constraint
'SecurityConstraint[Protected Area]' against GET /login.jsp --> true
2003-10-16 09:59:40 Authenticator[/admin]: Subject to constraint
SecurityConstraint[Protected Area]
2003-10-16 09:59:40 Authenticator[/admin]: Calling checkUserData()
2003-10-16 09:59:40 Authenticator[/admin]: User data constraint has no
restrictions
2003-10-16 09:59:40 Authenticator[/admin]: Calling authenticate()
2003-10-16 09:59:40 Authenticator[/admin]: Requesting login page normally
2003-10-16 09:59:40 Authenticator[/admin]: Calling accessControl()
2003-10-16 09:59:40 Authenticator[/admin]: Allow access to login page
/admin/login.jsp
2003-10-16 09:59:40 Authenticator[/admin]: Successfully passed all security
constraints
2003-10-16 09:59:40 StandardContext[/admin]: Mapping contextPath='/admin' with
requestURI='/admin/login.jsp' and relativeURI='/login.jsp'
2003-10-16 09:59:40 StandardContext[/admin]: Trying exact match
2003-10-16 09:59:40 StandardContext[/admin]: Trying prefix match
2003-10-16 09:59:40 StandardContext[/admin]: Trying extension match
2003-10-16 09:59:40 StandardContext[/admin]: Mapped to servlet 'jsp' with
servlet path '/login.jsp' and path info 'null' and update=true
Entering a valid user & password in the login page, produces the 400 error
and the following appears in the admin log.....
**** Excerpt from localhost_admin_log ****
2003-10-16 10:02:23 Authenticator[/admin]: Security checking request POST
/admin/j_security_check
2003-10-16 10:02:23 Authenticator[/admin]: Authenticating username 'td'
2003-10-16 10:02:23 Authenticator[/admin]: Authentication of 'td' was
successful
2003-10-16 10:02:23 Authenticator[/admin]: Redirecting to original 'null'
2003-10-16 10:02:23 Authenticator[/admin]: Failed authenticate() test
Hitting login through a browser running on localhost produces the
following log output....
**** Excerpt from localhost_admin_log ****
2003-10-16 10:04:07 Authenticator[/admin]: Security checking request POST
/admin/j_security_check
2003-10-16 10:04:07 Authenticator[/admin]: Authenticating username 'td'
2003-10-16 10:04:07 Authenticator[/admin]: Authentication of 'td' was
successful
2003-10-16 10:04:07 Authenticator[/admin]: Redirecting to original
'/admin/index.jsp'
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org