You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Chema <de...@gmail.com> on 2011/07/25 12:17:32 UTC
Strange behaviour (or bug) with realm + browser tabs in Tomcat 7
Hi:
I'm having a strange behaviour when using realm in Tomcat 7 ( 7.0.16)
with browser tabs
My web app has some protected resources ( with <security-constraint>
tag in web.xml ) by a realm.
I'm using FORM method in <auth-method> tag. So, i've got my own login page :
<html>
<form method='post' action='j_security_check'>
<input type='text' name='j_username'>
<input type='password' name='j_password'>
<input type='submit' name='send'>
</form>
</html>
Steps:
1) I open a tab in my browser and access to a protected resource
http://localhost:8080/myapp/protected/file_one.properties
So, login page is shown
2) I open a new tab in the browser and access to another protected resource
http://localhost:8080/myapp/protected/file_two.properties
So, login page is shown
3) Back first tab , and authenticate with a valid user. The resource
shown is file_two.properties (??)
4) Go to second tab, and authenticate with the same valid user ( or
another valid user ) and an error happens
State HTTP 404 - /myapp/j_security_check
I know that session is shared between tabs but I think there are two
rare results :
- on step 3, it's returned a different resource than requested .
- on step 4 , it's returned a 404 error
If this is a right behaviour , how I can avoid that an user can
perform this steps ?
Thanks
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Strange behaviour (or bug) with realm + browser tabs in Tomcat
7
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Chema,
On 7/25/2011 6:41 AM, Chema wrote:
>> The behaviour is correct. You can't stop it.
>>
>> Mark
>
> Thanks for you answer. But, is it right according to specs or
> according to Tomcat ?
I don't believe the spec covers this particular case. If you disagree,
I'd be happy to re-read a part of the spec you think might cover it.
> I can understand step 3 behaviour because is returned the last
> resource request by session ( althought user doesn't understand that
> two tabs are same session ) But I would like to avoid 404 errors
I've always thought Tomcat's behavior when an "unexpected" login was
experienced was a bit harsh, but there is no spec-compliant way to
determine where the user should go in situations like this.
Tomcat can't be expected to remember a list of URLs accessed prior to
authentication and can't really associated those URLs with the exact
browser-and-tab that requested them, so it only uses the "last" one.
Once the "last" request has been successfully processed (in your step
3), Tomcat should no re-play that same request during step 4 because the
request may be non-idempotent.
Feel free to suggest some other spec-compliant behavior that could be
achieved.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk4tncwACgkQ9CaO5/Lv0PDepgCeJkscA5woywu0ltrOaGGYJ99q
I7QAoKotwbPpO/w4R8QrpIMPtZ9+F2JE
=/2K6
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Strange behaviour (or bug) with realm + browser tabs in Tomcat 7
Posted by Chema <de...@gmail.com>.
> The behaviour is correct. You can't stop it.
>
> Mark
Thanks for you answer.
But,
is it right according to specs or according to Tomcat ?
I can understand step 3 behaviour because is returned the last
resource request by session ( althought user doesn't understand that
two tabs are same session )
But I would like to avoid 404 errors
Regards
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Strange behaviour (or bug) with realm + browser tabs in Tomcat
7
Posted by Mark Thomas <ma...@apache.org>.
On 25/07/2011 11:17, Chema wrote:
> Hi:
>
> I'm having a strange behaviour when using realm in Tomcat 7 ( 7.0.16)
> with browser tabs
> My web app has some protected resources ( with <security-constraint>
> tag in web.xml ) by a realm.
> I'm using FORM method in <auth-method> tag. So, i've got my own login page :
>
> <html>
> <form method='post' action='j_security_check'>
> <input type='text' name='j_username'>
> <input type='password' name='j_password'>
> <input type='submit' name='send'>
> </form>
> </html>
>
>
> Steps:
>
> 1) I open a tab in my browser and access to a protected resource
>
> http://localhost:8080/myapp/protected/file_one.properties
>
> So, login page is shown
>
> 2) I open a new tab in the browser and access to another protected resource
>
> http://localhost:8080/myapp/protected/file_two.properties
>
> So, login page is shown
>
>
> 3) Back first tab , and authenticate with a valid user. The resource
> shown is file_two.properties (??)
>
> 4) Go to second tab, and authenticate with the same valid user ( or
> another valid user ) and an error happens
>
> State HTTP 404 - /myapp/j_security_check
>
>
> I know that session is shared between tabs but I think there are two
> rare results :
>
> - on step 3, it's returned a different resource than requested .
> - on step 4 , it's returned a 404 error
>
> If this is a right behaviour , how I can avoid that an user can
> perform this steps ?
The behaviour is correct. You can't stop it.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org