You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by George Payne <gp...@virginia.edu> on 2003/10/03 23:38:27 UTC
RE: invalid direct reference..--problem with solution..
I would like to implement a fix to this. I think having users bookmark the
login page is a very likely frequent problem.
But..
What happens if you implement this solution and the user has disallowed
cookies? Don't you get an ugly loop?
If the referer header was set, you could use that, but it does not appear
to be. Anyone have a bright idea?
At 08:13 PM 6/28/2003, Stefan Radzom wrote:
>Your problem has just recently been discussed on this list. Ben Jessel
>proposed a workaround which I attached below. Hopefully, this might work for
>you.
>
>Stefan
>
>
> > -----Original Message-----
> > From: ben.jessel@accenture.com [mailto:ben.jessel@accenture.com]
> > Sent: Friday, June 27, 2003 1:42 PM
> > To: tomcat-user@jakarta.apache.org
> > Subject: Possible workaround for invalid direct reference to
> > login page
> >
> >
> > Java Authentication with tomcat relies on realms. If you
> > access a page
> > protected by that realm you get directed to the login page.
> > However, it is possible to go directly to the login page (
> > this can happen
> > when users bookmark the login page inadvertantly ).
> >
> > This happens in two scenarios:
> >
> > 1) The user is already logged in.
> > 2) The user is not logged in.
> >
> > If you authenticate yourself once you have gone directly to the login
> > page, you get a "invalid direct reference" error. Fair
> > enough, the login
> > page is trying to redirect to itself. Now, I tried to
> > workaround this by
> > checking if the session is null, and if it is, redirecting to some
> > protected page, eg. protected/index.jsp. No luck. It seems
> > that a session
> > is implicitly created, and a new session id gets created.
> >
> > So I've tried a cookie strategy:
> >
> > <%
> > if ( request.getCookies()==null ) {
> > response.sendRedirect("/xxxx/jsp/protected/index.jsp");
> > }
> > if ( request.getRemoteUser()!=null )
> > {
> > response.sendRedirect("/xxxxx/jsp/protected/index.jsp");
> > }
> > %>
> >
> > i.e, we wont have a cookie if we've gone directly to the
> > login page. But
> > we will have if we've tried to access a protected page and
> > then we've been
> > forwarded to a login page, tomcat will give us a cookie.
> >
> > Now if we're already logged in ( which we check with
> > getRemoteUser() ,
> > then we just forward to user to an index page.
> >
> > This seems o.k. However my index page actually includes my
> > login page! I'm
> > planning to get around this with some logic that only
> > includes the login
> > page excerpt if we are not logged in......
> >
> > Ben
> >
> >
>
> > -----Original Message-----
> > From: Brian Kuhn [mailto:bnkuhn@hotmail.com]
> > Sent: Sunday, June 29, 2003 1:16 AM
> > To: tomcat-user@jakarta.apache.org
> > Subject: invalid direct reference to form login page...
> >
> >
> > Hi all,
> >
> > I've set up Tomcat (4.1.24) to do form based authentication.
> > Everything
> > works great, except I've had to deal with a lot of users that
> > type in the
> > url I've given them, get redirected to the login page, and
> > bookmark the
> > login page before logging in. Later, when they use the
> > bookmark, they get
> > sent to the login page, but get a "Invalid direct reference
> > to form login
> > page..." message once they log in.
> >
> > I understand why this happens, but don't know what to do
> > about it. Is there
> > a way to specify a default page to go to when the login page
> > is requested
> > directly?
> >
> > Thanks,
> > Brian Kuhn
> > Telscape Communications
> >
> >
> >
> >
> > ====================
> > Brian Kuhn
> > bnkuhn@hotmail.com
> > ====================
> >
> > _________________________________________________________________
> > The new MSN 8: smart spam protection and 2 months FREE*
> > http://join.msn.com/?page=features/junkmail
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> > For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
> >
> >
>
>
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
>For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
RE: invalid direct reference..--problem with solution..
Posted by Patrick Willart <pa...@aptitudexchange.com>.
Here are two fixes for the problem.
http://forum.java.sun.com/thread.jsp?thread=330109&forum=45&message=1344266
http://raibledesigns.com/page/rd/20020828
However, they don't work for me. My problem isn't that the user goes
directly to the login page, but that a login form is available on every page
on the site via an include.
I want the user to be able to login whenever he wants and not only from
protected pages. What would be the best strategy to implement this?
Patrick
-----Original Message-----
From: George Payne [mailto:gpayne@virginia.edu]
Sent: Friday, October 03, 2003 2:38 PM
To: Tomcat Users List
Cc: ben.jessel@accenture.com
Subject: RE: invalid direct reference..--problem with solution..
I would like to implement a fix to this. I think having users bookmark the
login page is a very likely frequent problem.
But..
What happens if you implement this solution and the user has disallowed
cookies? Don't you get an ugly loop?
If the referer header was set, you could use that, but it does not appear
to be. Anyone have a bright idea?
At 08:13 PM 6/28/2003, Stefan Radzom wrote:
>Your problem has just recently been discussed on this list. Ben Jessel
>proposed a workaround which I attached below. Hopefully, this might work
for
>you.
>
>Stefan
>
>
> > -----Original Message-----
> > From: ben.jessel@accenture.com [mailto:ben.jessel@accenture.com]
> > Sent: Friday, June 27, 2003 1:42 PM
> > To: tomcat-user@jakarta.apache.org
> > Subject: Possible workaround for invalid direct reference to
> > login page
> >
> >
> > Java Authentication with tomcat relies on realms. If you
> > access a page
> > protected by that realm you get directed to the login page.
> > However, it is possible to go directly to the login page (
> > this can happen
> > when users bookmark the login page inadvertantly ).
> >
> > This happens in two scenarios:
> >
> > 1) The user is already logged in.
> > 2) The user is not logged in.
> >
> > If you authenticate yourself once you have gone directly to the login
> > page, you get a "invalid direct reference" error. Fair
> > enough, the login
> > page is trying to redirect to itself. Now, I tried to
> > workaround this by
> > checking if the session is null, and if it is, redirecting to some
> > protected page, eg. protected/index.jsp. No luck. It seems
> > that a session
> > is implicitly created, and a new session id gets created.
> >
> > So I've tried a cookie strategy:
> >
> > <%
> > if ( request.getCookies()==null ) {
> > response.sendRedirect("/xxxx/jsp/protected/index.jsp");
> > }
> > if ( request.getRemoteUser()!=null )
> > {
> > response.sendRedirect("/xxxxx/jsp/protected/index.jsp");
> > }
> > %>
> >
> > i.e, we wont have a cookie if we've gone directly to the
> > login page. But
> > we will have if we've tried to access a protected page and
> > then we've been
> > forwarded to a login page, tomcat will give us a cookie.
> >
> > Now if we're already logged in ( which we check with
> > getRemoteUser() ,
> > then we just forward to user to an index page.
> >
> > This seems o.k. However my index page actually includes my
> > login page! I'm
> > planning to get around this with some logic that only
> > includes the login
> > page excerpt if we are not logged in......
> >
> > Ben
> >
> >
>
> > -----Original Message-----
> > From: Brian Kuhn [mailto:bnkuhn@hotmail.com]
> > Sent: Sunday, June 29, 2003 1:16 AM
> > To: tomcat-user@jakarta.apache.org
> > Subject: invalid direct reference to form login page...
> >
> >
> > Hi all,
> >
> > I've set up Tomcat (4.1.24) to do form based authentication.
> > Everything
> > works great, except I've had to deal with a lot of users that
> > type in the
> > url I've given them, get redirected to the login page, and
> > bookmark the
> > login page before logging in. Later, when they use the
> > bookmark, they get
> > sent to the login page, but get a "Invalid direct reference
> > to form login
> > page..." message once they log in.
> >
> > I understand why this happens, but don't know what to do
> > about it. Is there
> > a way to specify a default page to go to when the login page
> > is requested
> > directly?
> >
> > Thanks,
> > Brian Kuhn
> > Telscape Communications
> >
> >
> >
> >
> > ====================
> > Brian Kuhn
> > bnkuhn@hotmail.com
> > ====================
> >
> > _________________________________________________________________
> > The new MSN 8: smart spam protection and 2 months FREE*
> > http://join.msn.com/?page=features/junkmail
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> > For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
> >
> >
>
>
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
>For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org