You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by shunhecun <gu...@gmail.com> on 2007/09/06 18:09:48 UTC
Tomcat 5.5.23: cannot return to login page??
Hi,
My application uses MemoryRealm and FORM-based authentication.
In the file tomcat-users.xml, there is an user called "view", which belongs
to role "users". The role "users" is not included in web.xml of the
application.
If I try to login the application with the user "view", I get an error:
"HTTP Status 403 - Access to the requested resource has been denied". I
cannot go back to the login page. I have to close the brower or restart the
server to see the login page.
Clean the browser's cache is not working. It seems the authentication
information is cached in the Tomcat server. Any idea?
Regards,
Cun
--
View this message in context: http://www.nabble.com/Tomcat-5.5.23%3A-cannot-return-to-login-page---tf4393110.html#a12525873
Sent from the Tomcat - User mailing list archive at Nabble.com.
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Tomcat 5.5.23: cannot return to login page??
Posted by Pid <p...@pidster.com>.
Christopher Schultz wrote:
> Cun,
>
> shunhecun wrote:
>> If a user is failed to login, he should be directed to the page specified in
>> web.xml, i.e. <form-error-page>/loginError.jsp</form-error-page>. And the
>> page /loginError.jsp is an unprotected resource.
>
> Right. You didn't say that the user failed to login. You said that the
> user's rights didn't allow them to see that particular page.
> Authentication /was/ successful; authorization was not.
>
>> If Tomcat does not kill the session for me in my case described in my first
>> message, how can I do that?
>
> Tomcat will not kill the session for you; you will have to do it
> yourself. You don't want to worry about failed logins -- those will go
> back to the login page. What you want to worry about is unauthorized
> page requests /after/ login, which is what the 403 error is all about.
> Just direct your webapp to forward 403 errors to something like
> "/logout.jsp" that does "session.invalidate()".
(eek!)
> I wouldn't do it this way, though. I'd present the user with an
> (unprotected) page that says "you're not allowed to view this page.
> Click <here> if you want to logout and re-login" (or something along
> those lines).
Customise the 403 error with a directive in the appropriate place in
your web.xml, like so:
<error-page>
<error-code>403</error-code>
<location>/WEB-INF/error-pages/403.jsp</location>
</error-page>
This page can have any content you like, and include the actions as
suggested by Chris.
p
> -chris
>
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Tomcat 5.5.23: cannot return to login page??
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Cun,
shunhecun wrote:
> If a user is failed to login, he should be directed to the page specified in
> web.xml, i.e. <form-error-page>/loginError.jsp</form-error-page>. And the
> page /loginError.jsp is an unprotected resource.
Right. You didn't say that the user failed to login. You said that the
user's rights didn't allow them to see that particular page.
Authentication /was/ successful; authorization was not.
> If Tomcat does not kill the session for me in my case described in my first
> message, how can I do that?
Tomcat will not kill the session for you; you will have to do it
yourself. You don't want to worry about failed logins -- those will go
back to the login page. What you want to worry about is unauthorized
page requests /after/ login, which is what the 403 error is all about.
Just direct your webapp to forward 403 errors to something like
"/logout.jsp" that does "session.invalidate()".
I wouldn't do it this way, though. I'd present the user with an
(unprotected) page that says "you're not allowed to view this page.
Click <here> if you want to logout and re-login" (or something along
those lines).
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFG4XOw9CaO5/Lv0PARAuXLAKDEA5su6hVC8qOqGsP2+KRLY0lJsACglPle
7sU3UkhRRSJ2P8IAHM8NQQ0=
=C6N6
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Tomcat 5.5.23: cannot return to login page??
Posted by shunhecun <gu...@gmail.com>.
Hi,
If a user is failed to login, he should be directed to the page specified in
web.xml, i.e. <form-error-page>/loginError.jsp</form-error-page>. And the
page /loginError.jsp is an unprotected resource.
If Tomcat does not kill the session for me in my case described in my first
message, how can I do that?
Thanks,
Cun
--
View this message in context: http://www.nabble.com/Tomcat-5.5.23%3A-cannot-return-to-login-page---tf4393110.html#a12547181
Sent from the Tomcat - User mailing list archive at Nabble.com.
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Tomcat 5.5.23: cannot return to login page??
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Cun,
shunhecun wrote:
> My application uses MemoryRealm and FORM-based authentication.
<shiver>
> In the file tomcat-users.xml, there is an user called "view", which belongs
> to role "users". The role "users" is not included in web.xml of the
> application.
>
> If I try to login the application with the user "view", I get an error:
> "HTTP Status 403 - Access to the requested resource has been denied". I
> cannot go back to the login page. I have to close the brower or restart the
> server to see the login page.
You don't need to kill the browser /or/ the server. You just need to
kill the user's session.
> Clean the browser's cache is not working. It seems the authentication
> information is cached in the Tomcat server. Any idea?
Tomcat links the authentication information for a user to the session.
Once the session is dead, you can re-login. Override the 403 error page
to include your own text including a link that takes you to the
(unprotected) logout page.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFG4HaO9CaO5/Lv0PARAnm4AKCrvlXhb7G7m0QBzAGCOwFGS7Ci5QCgm6Ep
RcJdLKCON73CZcBwS699+jw=
=qisx
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org