You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Tokajac <im...@hotmail.com> on 2008/08/09 20:54:36 UTC
Re-opening the browser
Hello!
I'm working on password recovery part of my webapp. It is done with Tomcat
server and j_security_check.
When i mistype the password 3 times for username, the service sends the
activation link to the e-mail address of that user.
I find the link in my mailbox and when i click it, in the NEW BROWSER the
login page of the webapp opens.
But when i submit the (activated) username and password, i got the
--------------------------------------------------------------------------
HTTP Status 408 - The time allowed for the login process has been exceeded.
If you wish to continue you must either click back twice and re-click the
link you requested or close and re-open your browser
type: Status report
message The time allowed for the login process has been exceeded. If you
wish to continue you must either click back twice and re-click the link you
requested or close and re-open your browser
description: The client did not produce a request within the time that the
server was prepared to wait
----------------------------------------------------------------------------
What's wrong here? Is it something about sessions/cookies? How should i
solve this?
Regards
P.S.
If i open another browser manually after clicking the link, and submit
activated username and pass -everything is fine.
--
View this message in context: http://www.nabble.com/Re-opening-the-browser-tp18907443p18907443.html
Sent from the Tomcat - User mailing list archive at Nabble.com.
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Re-opening the browser
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Martin,
Martin Gainty wrote:
| ..I'll ask the dumb question..what is a drive-by login
Sorry for the colloquialism. By "drive-by" login, I mean that the user
was presented with a login page that was not served by Tomcat as a
result of a request for a protected resource (which is the only use case
specified by the servlet specification).
A good example is a login form on your company's home page that posts
directly to j_security_check in your web application. This is not
possible using any unmodified version of Tomcat.
Securityfilter, on the other hand, does allow this kind of login.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iEYEARECAAYFAkihlokACgkQ9CaO5/Lv0PCz3QCgsIY+QsnR5hiV8lHiZHaPWmlx
3ZcAoIaWsFLIjy0qLeFfWsYpA8Tcr3j5
=2ryn
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Re-opening the browser
Posted by Martin Gainty <mg...@hotmail.com>.
..I'll ask the dumb question..what is a drive-by login
?Martin______________________________________________ Disclaimer and confidentiality note Everything in this e-mail and any attachments relates to the official business of Sender. This transmission is of a confidential nature and Sender does not endorse distribution to any party other than intended recipient. Sender does not necessarily endorse content contained within this transmission. > Date: Mon, 11 Aug 2008 16:32:55 -0400> From: chris@christopherschultz.net> To: users@tomcat.apache.org> Subject: Re: Re-opening the browser> > -----BEGIN PGP SIGNED MESSAGE-----> Hash: SHA1> > Mark,> > Mark Thomas wrote:> | If you go directly to the login page Tomcat can't tell the difference> | between that situation and when you go to a protected page, are> | redirected to the login page and then take so long to log in the session> | times out (the page you need to be sent back to is stored in the> | session). The error message assumes that the session has timed out.> > Okay, so the Tomcat response is (expectedly) consistent. Thanks for> stepping-in.> > Just out of curiosity, why does Tomcat not support drive-by logins? Is> it merely because the spec leaves the behavior in that case ambiguous> (there's no obvious target page to go to)? Many of securityfilter's> users use it merely because it allows drive-by logins. We're happy to> have them (!), but this seems like a reasonable feature to have in the> core of Tomcat.> > - -chris> -----BEGIN PGP SIGNATURE-----> Version: GnuPG v1.4.9 (MingW32)> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org> > iEYEARECAAYFAkigofcACgkQ9CaO5/Lv0PABBACeJDKRQss25b9pd7l5zbpSHO+2> fdUAn2rZ6uCUfWZ+5CEshnCzamREcXBQ> =GDVs> -----END PGP SIGNATURE-----> > ---------------------------------------------------------------------> To start a new topic, e-mail: users@tomcat.apache.org> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org> For additional commands, e-mail: users-help@tomcat.apache.org>
_________________________________________________________________
Reveal your inner athlete and share it with friends on Windows Live.
http://revealyourinnerathlete.windowslive.com?locale=en-us&ocid=TXT_TAGLM_WLYIA_whichathlete_us
Re: Re-opening the browser
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Mark,
Mark Thomas wrote:
|> Many of securityfilter's users use it merely because it allows
|> drive-by logins. We're happy to have them (!), but this seems like
|> a reasonable feature to have in the core of Tomcat.
|
| Given there is a demand for this, adding it as an option to the Form
| Auth valve seems reasonable to me. As ever, patches are always welcome
| on Bugzilla and this looks like a simple one although care will need to
| be taken on the error handling.
Actually, I am working on re-architecting securityfilter a bit so that
it can be used outside of it's current filter-only implementation. The
goal is to make it possible to write it as a Tomcat Valve, and then
possibly have Tomcat use securityfilter as its authentication and
authorization mechanism.
Since the last release, the servlet spec has changed somewhat (last
release mostly covered 2.3 spec), so I'm also working on making it as
spec-compliant as possible.
Thanks,
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iEYEARECAAYFAkihlfkACgkQ9CaO5/Lv0PCiSwCfXQPdO6RfVWV7j05OfrgGcx5i
rCkAn3xq8gCrwfBwpc3MFaGJQPLwRcuJ
=BfZs
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Re-opening the browser
Posted by Mark Thomas <ma...@apache.org>.
Christopher Schultz wrote:
> Mark,
>
> Mark Thomas wrote:
> | If you go directly to the login page Tomcat can't tell the difference
> | between that situation and when you go to a protected page, are
> | redirected to the login page and then take so long to log in the session
> | times out (the page you need to be sent back to is stored in the
> | session). The error message assumes that the session has timed out.
>
> Okay, so the Tomcat response is (expectedly) consistent. Thanks for
> stepping-in.
>
> Just out of curiosity, why does Tomcat not support drive-by logins? Is
> it merely because the spec leaves the behavior in that case ambiguous
> (there's no obvious target page to go to)?
Essentially, yes. Also, there is no spec compliant way to define where to
go if login is successful. If this was added then to be consistent the
default target page would probably need to be defined in the Form Auth
valve in a context.xml.
> Many of securityfilter's
> users use it merely because it allows drive-by logins. We're happy to
> have them (!), but this seems like a reasonable feature to have in the
> core of Tomcat.
Given there is a demand for this, adding it as an option to the Form Auth
valve seems reasonable to me. As ever, patches are always welcome on
Bugzilla and this looks like a simple one although care will need to be
taken on the error handling.
Mark
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Re-opening the browser
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Mark,
Mark Thomas wrote:
| If you go directly to the login page Tomcat can't tell the difference
| between that situation and when you go to a protected page, are
| redirected to the login page and then take so long to log in the session
| times out (the page you need to be sent back to is stored in the
| session). The error message assumes that the session has timed out.
Okay, so the Tomcat response is (expectedly) consistent. Thanks for
stepping-in.
Just out of curiosity, why does Tomcat not support drive-by logins? Is
it merely because the spec leaves the behavior in that case ambiguous
(there's no obvious target page to go to)? Many of securityfilter's
users use it merely because it allows drive-by logins. We're happy to
have them (!), but this seems like a reasonable feature to have in the
core of Tomcat.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iEYEARECAAYFAkigofcACgkQ9CaO5/Lv0PABBACeJDKRQss25b9pd7l5zbpSHO+2
fdUAn2rZ6uCUfWZ+5CEshnCzamREcXBQ
=GDVs
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Re-opening the browser
Posted by Mark Thomas <ma...@apache.org>.
Christopher Schultz wrote:
> Tokajac,
>
> Tokajac wrote:
> | But when i submit the (activated) username and password, i got the
> |
> --------------------------------------------------------------------------
> | HTTP Status 408 - The time allowed for the login process has been
> exceeded.
> | If you wish to continue you must either click back twice and re-click the
> | link you requested or close and re-open your browser
>
> This is probably because you went directly to the form login page, and
> you are using Tomcat's built-in container-managed authentication and
> authorization.
>
> Instead of sending the user directly to the login-page, try sending them
> to a protected URL (like /myApp/someProtectedPage). This will cause
> Tomcat to display the login page itself (which is actually required),
> and then the login should work.
>
> | What's wrong here? Is it something about sessions/cookies? How should i
> | solve this?
>
> Technically, the 408 is probably because of the timing of your testing.
> If you waited like 1 hour between requests, you'd get a different error
> like "unexpected login at this time" or a 404 because j_security_check
> isn't a valid URL unless the container is expecting it. It's a bit odd,
> but the servlet specification does not allow for "drive-by" logins, and
> so Tomcat does not implement them.
If you go directly to the login page Tomcat can't tell the difference
between that situation and when you go to a protected page, are redirected
to the login page and then take so long to log in the session times out
(the page you need to be sent back to is stored in the session). The error
message assumes that the session has timed out.
Mark
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Re-opening the browser
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Tokajac,
Tokajac wrote:
| But when i submit the (activated) username and password, i got the
| --------------------------------------------------------------------------
| HTTP Status 408 - The time allowed for the login process has been
exceeded.
| If you wish to continue you must either click back twice and re-click the
| link you requested or close and re-open your browser
This is probably because you went directly to the form login page, and
you are using Tomcat's built-in container-managed authentication and
authorization.
Instead of sending the user directly to the login-page, try sending them
to a protected URL (like /myApp/someProtectedPage). This will cause
Tomcat to display the login page itself (which is actually required),
and then the login should work.
| What's wrong here? Is it something about sessions/cookies? How should i
| solve this?
Technically, the 408 is probably because of the timing of your testing.
If you waited like 1 hour between requests, you'd get a different error
like "unexpected login at this time" or a 404 because j_security_check
isn't a valid URL unless the container is expecting it. It's a bit odd,
but the servlet specification does not allow for "drive-by" logins, and
so Tomcat does not implement them.
| P.S.
| If i open another browser manually after clicking the link, and submit
| activated username and pass -everything is fine.
Hmm. That's a bit odd. You might want to disable cookies in your browser
during testing, because they can confuse things sometimes by linking a
minutes-old session with a "new" login you are attempting.
Try the protected-page trick above and let us know how things go.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iEYEARECAAYFAkigTggACgkQ9CaO5/Lv0PBnWgCeNZNGk7mhHhKX1YfalXTZ+o72
1vgAn0CkTdvSrwCifc6FLqZEvFLr7w8W
=bnas
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org