You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Luke McMahon <mc...@hotmail.com> on 2007/09/04 17:36:30 UTC
Problem with form based JSP authentication using Firefox with Tomcat
Hi there, I'm new to the list, just having some trouble getting my authentication to work with Firefox. I'm trying to protect access to a member area in my new website, and am just using the built in form based security for now. I'm using Tomcat 6.0.14, IE7 and Firefox 2.0.0.6.When attempting to access the member area (/members/) the user is to be redirected to /login.jsp. The error page is the same but with a parameter (/login.jsp?error=true). When using IE7, all of this works just fine and after successful login, the user is sent to /members/When using Firefox, when everything is freshly built it works the first time. If I then log out (using session.invalidate() and being redirected to the home page) and log in again it stopsworking. After a successful login the user is presented not with the /members/ page, but with the login page again. Hitting refresh actually gives us the page we're after, so it seems to be caching thelogin page 'as' the /members/ page. ------------------------------------------Here is a section from my web.xml:------------------------------------------- <security-constraint> <display-name>Member Access</display-name> <web-resource-collection> <web-resource-name>Member Access Area</web-resource-name> <url-pattern>/members/*</url-pattern> <http-method>DELETE</http-method> <http-method>GET</http-method> <http-method>POST</http-method> <http-method>PUT</http-method> </web-resource-collection> <auth-constraint> <role-name>administrator</role-name> <role-name>member</role-name> <role-name>student</role-name></auth-constraint> </security-constraint> <login-config> <auth-method>FORM</auth-method> <realm-name>Member Area</realm-name> <form-login-config> <form-login-page>/login.jsp</form-login-page> <form-error-page>/login.jsp?error=true</form-error-page> </form-login-config> </login-config> -----------------------------------------Here is my logout code:-----------------------------------------
<% session.invalidate();response.sendRedirect("/"); %> ----------------------------------------Here is my login code:-----------------------------------------
<form method="post" action='<%= response.encodeURL("j_security_check") %>' >
<table border="0" cellspacing="5">
<tr>
<th align="right">Username:</th>
<td align="left"><input type="text" name="j_username" /></td>
</tr>
<tr>
<th align="right">Password:</th>
<td align="left"><input type="password" name="j_password" /></td>
</tr>
<tr>
<td align="right"><input type="submit" value="Log In" /></td>
<td align="left"><input type="reset" /></td>
</tr>
</table></form> Note: I've tried putting the following code at the top of my login.jsp and logout.jsp files but it doesn't seem to help:
<%
response.setHeader("Cache-Control","no-cache");
response.setHeader("Cache-Control","no-store");
response.setDateHeader("Expires", -1);
response.setHeader("Pragma","no-cache");
%>
Thanks very much for any assistance,
Luke.
[SOLVED]: Problem with form based JSP authentication using Firefox
with Tomcat
Posted by Luke McMahon <mc...@hotmail.com>.
P, thanks very much for your help.
The problem was fixed once I started linking explicitly to "/members/index.jsp" from index.htm, rather than just linking to "/members/" when my member file was straight html.
> Date: Thu, 6 Sep 2007 15:12:28 +0100
> From: p@pidster.com
> To: users@tomcat.apache.org
> Subject: Re: Problem with form based JSP authentication using Firefox with Tomcat
>
> Luke McMahon wrote:
>> Thanks again P,
>
> Can you include the source of
>
> /index.html
>
> and
>
> /members/index.html (is it html or JSP?)
>
>
> p
>
>
>> Yeah I actually already had the meta tags at the top, and modified everything to match your example exactly. I also tried using separate login and error pages with no noticeable difference.
>> Here are the http responses to the member page GET. I'm not well versed in this stuff, but it seems like the cache-control info is ok but it thinks the page has not been modified when the re-login fails:
>>
>>
>> Success:
>> ---------------------
>> http://localhost:8080/members/
>>
>> GET /members/ HTTP/1.1
>> Host: localhost:8080
>> User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.8.1.6) Gecko/20070725 Firefox/2.0.0.6
>> Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
>> Accept-Language: en-us,en;q=0.5
>> Accept-Encoding: gzip,deflate
>> Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
>> Keep-Alive: 300
>> Connection: keep-alive
>> Referer: http://localhost:8080/members/
>> Cookie: JSESSIONID=533286C2B979BBF186A7D69AAAE33746
>> Cache-Control: max-age=0
>>
>> HTTP/1.x 200 OK
>> Server: Apache-Coyote/1.1
>> Pragma: No-cache
>> Cache-Control: no-cache
>> Expires: Thu, 01 Jan 1970 10:00:00 EST
>> Etag: W/"2807-1188956843361"
>> Last-Modified: Wed, 05 Sep 2007 01:47:23 GMT
>> Content-Type: text/html
>> Content-Length: 2807
>> Date: Wed, 05 Sep 2007 02:03:55 GMT
>>
>>
>>
>> Failure:
>> -----------------------------
>> http://localhost:8080/members/
>>
>> GET /members/ HTTP/1.1
>> Host: localhost:8080
>> User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.8.1.6) Gecko/20070725 Firefox/2.0.0.6
>> Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
>> Accept-Language: en-us,en;q=0.5
>> Accept-Encoding: gzip,deflate
>> Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
>> Keep-Alive: 300
>> Connection: keep-alive
>> Referer: http://localhost:8080/members/
>> Cookie: JSESSIONID=FF03B0286AA97B1A603A05A1E402728D
>> Cache-Control: max-age=0
>>
>> HTTP/1.x 304 Not Modified
>> Server: Apache-Coyote/1.1
>> Pragma: No-cache
>> Cache-Control: no-cache
>> Expires: Thu, 01 Jan 1970 10:00:00 EST
>> Etag: W/"2807-1188956843361"
>> Date: Wed, 05 Sep 2007 02:04:23 GMT
>>
>>
>>
>>
>>
>>> Date: Wed, 5 Sep 2007 09:46:53 +0100
>>> From: p@pidster.com
>>> To: users@tomcat.apache.org
>>> Subject: Re: Problem with form based JSP authentication using Firefox with Tomcat
>>>
>>> Are you saying you tried what I suggested, or that you have already
>>> tried it? It seems like the problem is a caching issue to me.
>>>
>>> What URL are you trying to access to trigger the login - you're not
>>> accessing the login.jsp directly are you? (I have to ask...)
>>>
>>>
>>> In the second instance the browser is setting JSESSIONID as a cookie,
>>> instead of as a URL parameter, but that shouldn't make a difference.
>>> The response.encodeURL method only encodes the URL with JSESSIONID if it
>>> can't see the same value in a cookie in the request.
>>>
>>> The value of JSESSIONID *may* change with each new session, but it won't
>>> be created until you hit a JSP. So the first time it's only created
>>> when you hit login.jsp, where it's encoded in the URL because no
>>> previous session id was found in the URL or cookie.
>>>
>>> The cookie still exists locally after you logout, until you close the
>>> browser down, so it's not added to the URL the second time round, but as
>>> the existing ID is an invalid session it triggers the authentication valve.
>>>
>>>
>>>
>>> You should compare the server response headers rather than the request
>>> headers, to see if the server is correctly sending the Cache-Control info.
>>>
>>>
>>>
>>> p
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> Luke McMahon wrote:
>>>> Thanks p (hope this is formatted better!)
>>>>
>>>> I tried this without success. I've attached the livehttpheader output below. What seems to happen in Firefox is the first time I go to the login page, it passes the jsessionid to j_security_check.
>>>> If I then invalidate the session, and go to log in again, it calls j_security_check without this identifier. This might be why I'm not getting redirected to the member page, but I'm not sure of that.
>>>> Like I said, this works fine in IE, but firefox still seems to either be losing its bundle after the session is invalidated or incorrectly caching the login page as the member page I'm trying to access.
>>>>
>>>> I've just cut and pasted the differences between the headers of the successful login, and the unsuccessful login (ie. no redirect).
>>>>
>>>> Success:
>>>> ---------------------------------
>>>> http://localhost:8080/members/
>>>>
>>>> GET /members/ HTTP/1.1
>>>> Host: localhost:8080
>>>> User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.8.1.6) Gecko/20070725 Firefox/2.0.0.6
>>>> Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
>>>> Accept-Language: en-us,en;q=0.5
>>>> Accept-Encoding: gzip,deflate
>>>> Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
>>>> Keep-Alive: 300
>>>> Connection: keep-alive
>>>> Referer: http://localhost:8080/index.htm
>>>>
>>>> Failure:
>>>> ------------------------------------
>>>> http://localhost:8080/members/
>>>>
>>>> GET /members/ HTTP/1.1
>>>> Host: localhost:8080
>>>> User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.8.1.6) Gecko/20070725 Firefox/2.0.0.6
>>>> Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
>>>> Accept-Language: en-us,en;q=0.5
>>>> Accept-Encoding: gzip,deflate
>>>> Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
>>>> Keep-Alive: 300
>>>> Connection: keep-alive
>>>> Referer: http://localhost:8080/index.htm
>>>> Cookie: JSESSIONID=533286C2B979BBF186A7D69AAAE33746
>>>> ---------------------------------------------------------------------
>>>> To start a new topic, e-mail: users@tomcat.apache.org
>>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>>
>>>>
>>
>> ---------------------------------------------------------------------
>> To start a new topic, e-mail: users@tomcat.apache.org
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>
>
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Problem with form based JSP authentication using Firefox with
Tomcat
Posted by Pid <p...@pidster.com>.
Luke McMahon wrote:
> Thanks again P,
Can you include the source of
/index.html
and
/members/index.html (is it html or JSP?)
p
> Yeah I actually already had the meta tags at the top, and modified everything to match your example exactly. I also tried using separate login and error pages with no noticeable difference.
> Here are the http responses to the member page GET. I'm not well versed in this stuff, but it seems like the cache-control info is ok but it thinks the page has not been modified when the re-login fails:
>
>
> Success:
> ---------------------
> http://localhost:8080/members/
>
> GET /members/ HTTP/1.1
> Host: localhost:8080
> User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.8.1.6) Gecko/20070725 Firefox/2.0.0.6
> Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
> Accept-Language: en-us,en;q=0.5
> Accept-Encoding: gzip,deflate
> Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
> Keep-Alive: 300
> Connection: keep-alive
> Referer: http://localhost:8080/members/
> Cookie: JSESSIONID=533286C2B979BBF186A7D69AAAE33746
> Cache-Control: max-age=0
>
> HTTP/1.x 200 OK
> Server: Apache-Coyote/1.1
> Pragma: No-cache
> Cache-Control: no-cache
> Expires: Thu, 01 Jan 1970 10:00:00 EST
> Etag: W/"2807-1188956843361"
> Last-Modified: Wed, 05 Sep 2007 01:47:23 GMT
> Content-Type: text/html
> Content-Length: 2807
> Date: Wed, 05 Sep 2007 02:03:55 GMT
>
>
>
> Failure:
> -----------------------------
> http://localhost:8080/members/
>
> GET /members/ HTTP/1.1
> Host: localhost:8080
> User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.8.1.6) Gecko/20070725 Firefox/2.0.0.6
> Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
> Accept-Language: en-us,en;q=0.5
> Accept-Encoding: gzip,deflate
> Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
> Keep-Alive: 300
> Connection: keep-alive
> Referer: http://localhost:8080/members/
> Cookie: JSESSIONID=FF03B0286AA97B1A603A05A1E402728D
> Cache-Control: max-age=0
>
> HTTP/1.x 304 Not Modified
> Server: Apache-Coyote/1.1
> Pragma: No-cache
> Cache-Control: no-cache
> Expires: Thu, 01 Jan 1970 10:00:00 EST
> Etag: W/"2807-1188956843361"
> Date: Wed, 05 Sep 2007 02:04:23 GMT
>
>
>
>
>
>> Date: Wed, 5 Sep 2007 09:46:53 +0100
>> From: p@pidster.com
>> To: users@tomcat.apache.org
>> Subject: Re: Problem with form based JSP authentication using Firefox with Tomcat
>>
>> Are you saying you tried what I suggested, or that you have already
>> tried it? It seems like the problem is a caching issue to me.
>>
>> What URL are you trying to access to trigger the login - you're not
>> accessing the login.jsp directly are you? (I have to ask...)
>>
>>
>> In the second instance the browser is setting JSESSIONID as a cookie,
>> instead of as a URL parameter, but that shouldn't make a difference.
>> The response.encodeURL method only encodes the URL with JSESSIONID if it
>> can't see the same value in a cookie in the request.
>>
>> The value of JSESSIONID *may* change with each new session, but it won't
>> be created until you hit a JSP. So the first time it's only created
>> when you hit login.jsp, where it's encoded in the URL because no
>> previous session id was found in the URL or cookie.
>>
>> The cookie still exists locally after you logout, until you close the
>> browser down, so it's not added to the URL the second time round, but as
>> the existing ID is an invalid session it triggers the authentication valve.
>>
>>
>>
>> You should compare the server response headers rather than the request
>> headers, to see if the server is correctly sending the Cache-Control info.
>>
>>
>>
>> p
>>
>>
>>
>>
>>
>>
>>
>> Luke McMahon wrote:
>>> Thanks p (hope this is formatted better!)
>>>
>>> I tried this without success. I've attached the livehttpheader output below. What seems to happen in Firefox is the first time I go to the login page, it passes the jsessionid to j_security_check.
>>> If I then invalidate the session, and go to log in again, it calls j_security_check without this identifier. This might be why I'm not getting redirected to the member page, but I'm not sure of that.
>>> Like I said, this works fine in IE, but firefox still seems to either be losing its bundle after the session is invalidated or incorrectly caching the login page as the member page I'm trying to access.
>>>
>>> I've just cut and pasted the differences between the headers of the successful login, and the unsuccessful login (ie. no redirect).
>>>
>>> Success:
>>> ---------------------------------
>>> http://localhost:8080/members/
>>>
>>> GET /members/ HTTP/1.1
>>> Host: localhost:8080
>>> User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.8.1.6) Gecko/20070725 Firefox/2.0.0.6
>>> Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
>>> Accept-Language: en-us,en;q=0.5
>>> Accept-Encoding: gzip,deflate
>>> Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
>>> Keep-Alive: 300
>>> Connection: keep-alive
>>> Referer: http://localhost:8080/index.htm
>>>
>>> Failure:
>>> ------------------------------------
>>> http://localhost:8080/members/
>>>
>>> GET /members/ HTTP/1.1
>>> Host: localhost:8080
>>> User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.8.1.6) Gecko/20070725 Firefox/2.0.0.6
>>> Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
>>> Accept-Language: en-us,en;q=0.5
>>> Accept-Encoding: gzip,deflate
>>> Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
>>> Keep-Alive: 300
>>> Connection: keep-alive
>>> Referer: http://localhost:8080/index.htm
>>> Cookie: JSESSIONID=533286C2B979BBF186A7D69AAAE33746
>>> ---------------------------------------------------------------------
>>> To start a new topic, e-mail: users@tomcat.apache.org
>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>
>>>
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
RE: Problem with form based JSP authentication using Firefox with
Tomcat
Posted by Luke McMahon <mc...@hotmail.com>.
Thanks again P,
Yeah I actually already had the meta tags at the top, and modified everything to match your example exactly. I also tried using separate login and error pages with no noticeable difference.
Here are the http responses to the member page GET. I'm not well versed in this stuff, but it seems like the cache-control info is ok but it thinks the page has not been modified when the re-login fails:
Success:
---------------------
http://localhost:8080/members/
GET /members/ HTTP/1.1
Host: localhost:8080
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.8.1.6) Gecko/20070725 Firefox/2.0.0.6
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer: http://localhost:8080/members/
Cookie: JSESSIONID=533286C2B979BBF186A7D69AAAE33746
Cache-Control: max-age=0
HTTP/1.x 200 OK
Server: Apache-Coyote/1.1
Pragma: No-cache
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 10:00:00 EST
Etag: W/"2807-1188956843361"
Last-Modified: Wed, 05 Sep 2007 01:47:23 GMT
Content-Type: text/html
Content-Length: 2807
Date: Wed, 05 Sep 2007 02:03:55 GMT
Failure:
-----------------------------
http://localhost:8080/members/
GET /members/ HTTP/1.1
Host: localhost:8080
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.8.1.6) Gecko/20070725 Firefox/2.0.0.6
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer: http://localhost:8080/members/
Cookie: JSESSIONID=FF03B0286AA97B1A603A05A1E402728D
Cache-Control: max-age=0
HTTP/1.x 304 Not Modified
Server: Apache-Coyote/1.1
Pragma: No-cache
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 10:00:00 EST
Etag: W/"2807-1188956843361"
Date: Wed, 05 Sep 2007 02:04:23 GMT
> Date: Wed, 5 Sep 2007 09:46:53 +0100
> From: p@pidster.com
> To: users@tomcat.apache.org
> Subject: Re: Problem with form based JSP authentication using Firefox with Tomcat
>
> Are you saying you tried what I suggested, or that you have already
> tried it? It seems like the problem is a caching issue to me.
>
> What URL are you trying to access to trigger the login - you're not
> accessing the login.jsp directly are you? (I have to ask...)
>
>
> In the second instance the browser is setting JSESSIONID as a cookie,
> instead of as a URL parameter, but that shouldn't make a difference.
> The response.encodeURL method only encodes the URL with JSESSIONID if it
> can't see the same value in a cookie in the request.
>
> The value of JSESSIONID *may* change with each new session, but it won't
> be created until you hit a JSP. So the first time it's only created
> when you hit login.jsp, where it's encoded in the URL because no
> previous session id was found in the URL or cookie.
>
> The cookie still exists locally after you logout, until you close the
> browser down, so it's not added to the URL the second time round, but as
> the existing ID is an invalid session it triggers the authentication valve.
>
>
>
> You should compare the server response headers rather than the request
> headers, to see if the server is correctly sending the Cache-Control info.
>
>
>
> p
>
>
>
>
>
>
>
> Luke McMahon wrote:
>> Thanks p (hope this is formatted better!)
>>
>> I tried this without success. I've attached the livehttpheader output below. What seems to happen in Firefox is the first time I go to the login page, it passes the jsessionid to j_security_check.
>> If I then invalidate the session, and go to log in again, it calls j_security_check without this identifier. This might be why I'm not getting redirected to the member page, but I'm not sure of that.
>> Like I said, this works fine in IE, but firefox still seems to either be losing its bundle after the session is invalidated or incorrectly caching the login page as the member page I'm trying to access.
>>
>> I've just cut and pasted the differences between the headers of the successful login, and the unsuccessful login (ie. no redirect).
>>
>> Success:
>> ---------------------------------
>> http://localhost:8080/members/
>>
>> GET /members/ HTTP/1.1
>> Host: localhost:8080
>> User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.8.1.6) Gecko/20070725 Firefox/2.0.0.6
>> Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
>> Accept-Language: en-us,en;q=0.5
>> Accept-Encoding: gzip,deflate
>> Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
>> Keep-Alive: 300
>> Connection: keep-alive
>> Referer: http://localhost:8080/index.htm
>>
>> Failure:
>> ------------------------------------
>> http://localhost:8080/members/
>>
>> GET /members/ HTTP/1.1
>> Host: localhost:8080
>> User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.8.1.6) Gecko/20070725 Firefox/2.0.0.6
>> Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
>> Accept-Language: en-us,en;q=0.5
>> Accept-Encoding: gzip,deflate
>> Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
>> Keep-Alive: 300
>> Connection: keep-alive
>> Referer: http://localhost:8080/index.htm
>> Cookie: JSESSIONID=533286C2B979BBF186A7D69AAAE33746
>> ---------------------------------------------------------------------
>> To start a new topic, e-mail: users@tomcat.apache.org
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>
>
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Problem with form based JSP authentication using Firefox with
Tomcat
Posted by Pid <p...@pidster.com>.
Are you saying you tried what I suggested, or that you have already
tried it? It seems like the problem is a caching issue to me.
What URL are you trying to access to trigger the login - you're not
accessing the login.jsp directly are you? (I have to ask...)
In the second instance the browser is setting JSESSIONID as a cookie,
instead of as a URL parameter, but that shouldn't make a difference.
The response.encodeURL method only encodes the URL with JSESSIONID if it
can't see the same value in a cookie in the request.
The value of JSESSIONID *may* change with each new session, but it won't
be created until you hit a JSP. So the first time it's only created
when you hit login.jsp, where it's encoded in the URL because no
previous session id was found in the URL or cookie.
The cookie still exists locally after you logout, until you close the
browser down, so it's not added to the URL the second time round, but as
the existing ID is an invalid session it triggers the authentication valve.
You should compare the server response headers rather than the request
headers, to see if the server is correctly sending the Cache-Control info.
p
Luke McMahon wrote:
> Thanks p (hope this is formatted better!)
>
> I tried this without success. I've attached the livehttpheader output below. What seems to happen in Firefox is the first time I go to the login page, it passes the jsessionid to j_security_check.
> If I then invalidate the session, and go to log in again, it calls j_security_check without this identifier. This might be why I'm not getting redirected to the member page, but I'm not sure of that.
> Like I said, this works fine in IE, but firefox still seems to either be losing its bundle after the session is invalidated or incorrectly caching the login page as the member page I'm trying to access.
>
> I've just cut and pasted the differences between the headers of the successful login, and the unsuccessful login (ie. no redirect).
>
> Success:
> ---------------------------------
> http://localhost:8080/members/
>
> GET /members/ HTTP/1.1
> Host: localhost:8080
> User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.8.1.6) Gecko/20070725 Firefox/2.0.0.6
> Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
> Accept-Language: en-us,en;q=0.5
> Accept-Encoding: gzip,deflate
> Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
> Keep-Alive: 300
> Connection: keep-alive
> Referer: http://localhost:8080/index.htm
>
> Failure:
> ------------------------------------
> http://localhost:8080/members/
>
> GET /members/ HTTP/1.1
> Host: localhost:8080
> User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.8.1.6) Gecko/20070725 Firefox/2.0.0.6
> Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
> Accept-Language: en-us,en;q=0.5
> Accept-Encoding: gzip,deflate
> Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
> Keep-Alive: 300
> Connection: keep-alive
> Referer: http://localhost:8080/index.htm
> Cookie: JSESSIONID=533286C2B979BBF186A7D69AAAE33746
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
RE: Problem with form based JSP authentication using Firefox with
Tomcat
Posted by Luke McMahon <mc...@hotmail.com>.
Thanks p (hope this is formatted better!)
I tried this without success. I've attached the livehttpheader output below. What seems to happen in Firefox is the first time I go to the login page, it passes the jsessionid to j_security_check.
If I then invalidate the session, and go to log in again, it calls j_security_check without this identifier. This might be why I'm not getting redirected to the member page, but I'm not sure of that.
Like I said, this works fine in IE, but firefox still seems to either be losing its bundle after the session is invalidated or incorrectly caching the login page as the member page I'm trying to access.
I've just cut and pasted the differences between the headers of the successful login, and the unsuccessful login (ie. no redirect).
Success:
---------------------------------
http://localhost:8080/members/
GET /members/ HTTP/1.1
Host: localhost:8080
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.8.1.6) Gecko/20070725 Firefox/2.0.0.6
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer: http://localhost:8080/index.htm
Failure:
------------------------------------
http://localhost:8080/members/
GET /members/ HTTP/1.1
Host: localhost:8080
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.8.1.6) Gecko/20070725 Firefox/2.0.0.6
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer: http://localhost:8080/index.htm
Cookie: JSESSIONID=533286C2B979BBF186A7D69AAAE33746
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Problem with form based JSP authentication using Firefox with
Tomcat
Posted by Pid <p...@pidster.com>.
Try putting all of the Cache-Control commands inline, comma separated:
<meta http-equiv="Cache-Control"
content="no-store,no-cache,must-revalidate">
<meta http-equiv="Pragma" content="no-cache">
<meta http-equiv="Expires" content="-1">
You can also set the headers:
<%
response.setHeader("Cache-Control","no-cache,no-store,must-revalidate");
response.setHeader("Pragma","no-cache");
response.setDateHeader("Expires", -1);
%>
I'm not sure of the implications of using /login.jsp?error=true as an
error page - though it was recently discussed on this list, you may wish
to search the archives.
I usually place my login pages out of the way:
WEB-INF/login/form.jsp
WEB-INF/login/error.jsp
so they can't be accessed directly.
p
(tip: send plain text mail to avoid crazy formatting)
Luke McMahon wrote:
> Hi there, I'm new to the list, just having some trouble getting my authentication to work with Firefox. I'm trying to protect access to a member area in my new website, and am just using the built in form based security for now. I'm using Tomcat 6.0.14, IE7 and Firefox 2.0.0.6.When attempting to access the member area (/members/) the user is to be redirected to /login.jsp. The error page is the same but with a parameter (/login.jsp?error=true). When using IE7, all of this works just fine and after successful login, the user is sent to /members/When using Firefox, when everything is freshly built it works the first time. If I then log out (using session.invalidate() and being redirected to the home page) and log in again it stopsworking. After a successful login the user is presented not with the /members/ page, but with the login page again. Hitting refresh actually gives us the page we're after, so it seems to be caching thelogin page 'as' the /members/ page. ------------
------------------------------Here is a section from my web.xml:------------------------------------------- <security-constraint> <display-name>Member Access</display-name> <web-resource-collection> <web-resource-name>Member Access Area</web-resource-name> <url-pattern>/members/*</url-pattern> <http-method>DELETE</http-method> <http-method>GET</http-method> <http-method>POST</http-method> <http-method>PUT</http-method> </web-resource-collection> <auth-constraint> <role-name>administrator</role-name> <role-name>member</role-name> <role-name>student</role-name></auth-constraint> </security-constraint> <login-config> <auth-method>FORM</auth-method> <realm-name>Member Area</realm-name> <form-login-config> <form-login-page>/login.jsp</form-login-page> <form-error-page>/login.jsp?error=true</form-error-page> </form-login-config> </login-config> -----------------------------------------Here is my logout code:---------------------
--------------------
> <% session.invalidate();response.sendRedirect("/"); %> ----------------------------------------Here is my login code:-----------------------------------------
> <form method="post" action='<%= response.encodeURL("j_security_check") %>' >
> <table border="0" cellspacing="5">
> <tr>
> <th align="right">Username:</th>
> <td align="left"><input type="text" name="j_username" /></td>
> </tr>
> <tr>
> <th align="right">Password:</th>
> <td align="left"><input type="password" name="j_password" /></td>
> </tr>
> <tr>
> <td align="right"><input type="submit" value="Log In" /></td>
> <td align="left"><input type="reset" /></td>
> </tr>
> </table></form> Note: I've tried putting the following code at the top of my login.jsp and logout.jsp files but it doesn't seem to help:
> <%
> response.setHeader("Cache-Control","no-cache");
> response.setHeader("Cache-Control","no-store");
> response.setDateHeader("Expires", -1);
> response.setHeader("Pragma","no-cache");
> %>
> Thanks very much for any assistance,
> Luke.