You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Marcel Frehner <ma...@wsl.ch> on 2007/01/22 16:11:20 UTC
Access to error page denied in Firefox 2.0
I'm trying to set up form-based authentication in a JSF Application on
Tomcat 5.5.4. I've got a login page, a welcome page and an error page. On
entering the right username and password I get redirected to welcome.jsp.
On entering the wrong credentials IE displays my custom error.html with a
link back to login.html where I can try with the right password again. So
far so good.
Firefox 2.0, however, displays "HTTP Status 403 - Access to the requested
resource has been denied" if the wrong credentials are entered. I can't get
back to the login page anymore, even with the back button in the browser.
Logging in with the correct credentials works as expected.
I understand that Tomcat forwards control to the error page configured in
web.xml if authentication fails. I can't see any browser dependency here.
Or does it do a redirect, i.e. go back to the browser first?
When setting up the application I followed Sun's Java 5 EE Tutorial
(Chapter 30: Securing Web Applications) leaving out the mapping of roles to
user groups as I haven't got any server groups.
The settings in the Tomcat admin application, which works fine, seem to be
equivalent to mine although hard to compare as it is Struts and mine is JSF.
I've got an index.jsp file which takes me into the faces context. Could
that cause problems?
Help is appreciated very much.
Marcel
<?xml version="1.0" encoding="UTF-8"?>
<web-app id="WebApp_ID" version="2.4"
xmlns="http://java.sun.com/xml/ns/j2ee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee
http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd">
<display-name>sec24</display-name>
<servlet>
<servlet-name>Faces Servlet</servlet-name>
<servlet-class>javax.faces.webapp.FacesServlet</servlet-class>
<load-on-startup>1</load-on-startup>
<security-role-ref>
<role-name>loginUser</role-name>
<role-link>loginUser</role-link>
</security-role-ref>
</servlet>
<servlet-mapping>
<servlet-name>Faces Servlet</servlet-name>
<url-pattern>*.faces</url-pattern>
</servlet-mapping>
<welcome-file-list>
<welcome-file>index.jsp</welcome-file>
</welcome-file-list>
<security-constraint>
<display-name>SecurityConstraint</display-name>
<web-resource-collection>
<web-resource-name>WRCollection</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>loginUser</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<realm-name>security</realm-name>
<form-login-config>
<form-login-page>/login.html</form-login-page>
<form-error-page>/error.html</form-error-page>
</form-login-config>
</login-config>
<security-role>
<role-name>loginUser</role-name>
</security-role>
</web-app>
--
dipl. geogr. Marcel Frehner
Wissenschaftlicher Mitarbeiter
Eidgenössische Forschungsanstalt für Wald, Schnee und Landschaft WSL
Abteilung Landschaftsinventuren
Zürcherstrasse 111
8903 Birmensdorf
Tel. +41-44-739 26 83
marcel.frehner@wsl.ch
http://www.wsl.ch
----------------------------
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Access to error page denied in Firefox 2.0
Posted by David Delbecq <de...@oma.be>.
En l'instant précis du 01/22/07 17:05, Marcel Frehner s'exprimait en ces
termes:
> Thank you for your answer David. My conclusion would be to move my
> protected resources to a separate folder and adjust my web.xml
> accordingly. Of course you were absolutely right about the 403 status.
> My Firefox had an existing but not authorised user stored and I kept
> testing with that one.
>
> And instead of a link from the error.html back to the login.html, I
> would either add a login form to the error page or link to a page that
> needs authentication and causes Tomcat to return the login form again,
> wouldn't I?
Add a link on error page back to an area needing authentification, so
tomcat show login again.
>
> I think I understand that now, thanks!
> Marcel
>
> At 16:29 22.01.2007 +0100, you wrote:
>> I see several potential problems as a side note before the core
>> problem...
>> First, you map your security constraint to /*, that mean *nothing* in
>> your webapp will be accessible prior to login, this includes
>> pictures, css.
>> Second, be aware to never access directly login.html, it should be
>> tomcat that send the content of login.html to user upon needing
>> authentification. To make your test, for example, direct your browser to
>> /index.html (yes authentifcication take place even if file does not
>> exist :p). Take this into account when adding a 'link' to login form in
>> your error document
>>
>> Now, core of problem. Tomcat sends an error 403 header along with the
>> content of your error page. This happens when your credentials have been
>> accepted, your are authenticated, but your don't have the required
>> access right. (common example you are a 'user' but not an 'admin', you
>> try to access the admin panel, tomcat will refuse you, but not present
>> you the authentification form because you are already identified)
>>
>>
>> En l'instant précis du 01/22/07 16:11, Marcel Frehner s'exprimait en ces
>> termes:
>> > I'm trying to set up form-based authentication in a JSF Application on
>> > Tomcat 5.5.4. I've got a login page, a welcome page and an error page.
>> > On entering the right username and password I get redirected to
>> > welcome.jsp. On entering the wrong credentials IE displays my custom
>> > error.html with a link back to login.html where I can try with the
>> > right password again. So far so good.
>> >
>> > Firefox 2.0, however, displays "HTTP Status 403 - Access to the
>> > requested resource has been denied" if the wrong credentials are
>> > entered. I can't get back to the login page anymore, even with the
>> > back button in the browser. Logging in with the correct credentials
>> > works as expected.
>> >
>> > I understand that Tomcat forwards control to the error page configured
>> > in web.xml if authentication fails. I can't see any browser dependency
>> > here. Or does it do a redirect, i.e. go back to the browser first?
>> >
>> > When setting up the application I followed Sun's Java 5 EE Tutorial
>> > (Chapter 30: Securing Web Applications) leaving out the mapping of
>> > roles to user groups as I haven't got any server groups.
>> >
>> > The settings in the Tomcat admin application, which works fine, seem
>> > to be equivalent to mine although hard to compare as it is Struts and
>> > mine is JSF.
>> >
>> > I've got an index.jsp file which takes me into the faces context.
>> > Could that cause problems?
>> >
>> > Help is appreciated very much.
>> > Marcel
>> >
>> >
>> > <?xml version="1.0" encoding="UTF-8"?>
>> > <web-app id="WebApp_ID" version="2.4"
>> > xmlns="http://java.sun.com/xml/ns/j2ee"
>> > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
>> > xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee
>> > http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd">
>> > <display-name>sec24</display-name>
>> > <servlet>
>> > <servlet-name>Faces Servlet</servlet-name>
>> > <servlet-class>javax.faces.webapp.FacesServlet</servlet-class>
>> > <load-on-startup>1</load-on-startup>
>> > <security-role-ref>
>> > <role-name>loginUser</role-name>
>> > <role-link>loginUser</role-link>
>> > </security-role-ref>
>> > </servlet>
>> > <servlet-mapping>
>> > <servlet-name>Faces Servlet</servlet-name>
>> > <url-pattern>*.faces</url-pattern>
>> > </servlet-mapping>
>> > <welcome-file-list>
>> > <welcome-file>index.jsp</welcome-file>
>> > </welcome-file-list>
>> > <security-constraint>
>> > <display-name>SecurityConstraint</display-name>
>> > <web-resource-collection>
>> > <web-resource-name>WRCollection</web-resource-name>
>> > <url-pattern>/*</url-pattern>
>> > </web-resource-collection>
>> > <auth-constraint>
>> > <role-name>loginUser</role-name>
>> > </auth-constraint>
>> > </security-constraint>
>> >
>> > <login-config>
>> > <auth-method>FORM</auth-method>
>> > <realm-name>security</realm-name>
>> > <form-login-config>
>> > <form-login-page>/login.html</form-login-page>
>> > <form-error-page>/error.html</form-error-page>
>> > </form-login-config>
>> > </login-config>
>> > <security-role>
>> > <role-name>loginUser</role-name>
>> > </security-role>
>> > </web-app>
>> >
>> >
>> >
>> >
>> > --
>> > dipl. geogr. Marcel Frehner
>> > Wissenschaftlicher Mitarbeiter
>> > Eidgenössische Forschungsanstalt für Wald, Schnee und Landschaft WSL
>> > Abteilung Landschaftsinventuren
>> > Zürcherstrasse 111
>> > 8903 Birmensdorf
>> >
>> > Tel. +41-44-739 26 83
>> > marcel.frehner@wsl.ch
>> > http://www.wsl.ch
>> >
>> > ----------------------------
>> >
>> >
>> > ---------------------------------------------------------------------
>> > To start a new topic, e-mail: users@tomcat.apache.org
>> > To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> > For additional commands, e-mail: users-help@tomcat.apache.org
>> >
>>
>>
>> ---------------------------------------------------------------------
>> To start a new topic, e-mail: users@tomcat.apache.org
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
>
>
> --
> dipl. geogr. Marcel Frehner
> Wissenschaftlicher Mitarbeiter
> Eidgenössische Forschungsanstalt für Wald, Schnee und Landschaft WSL
> Abteilung Landschaftsinventuren
> Zürcherstrasse 111
> 8903 Birmensdorf
>
> Tel. +41-44-739 26 83
> marcel.frehner@wsl.ch
> http://www.wsl.ch
>
> ----------------------------
>
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Access to error page denied in Firefox 2.0
Posted by Marcel Frehner <ma...@wsl.ch>.
Thank you for your answer David. My conclusion would be to move my
protected resources to a separate folder and adjust my web.xml accordingly.
Of course you were absolutely right about the 403 status. My Firefox had an
existing but not authorised user stored and I kept testing with that one.
And instead of a link from the error.html back to the login.html, I would
either add a login form to the error page or link to a page that needs
authentication and causes Tomcat to return the login form again, wouldn't I?
I think I understand that now, thanks!
Marcel
At 16:29 22.01.2007 +0100, you wrote:
>I see several potential problems as a side note before the core problem...
>First, you map your security constraint to /*, that mean *nothing* in
>your webapp will be accessible prior to login, this includes pictures, css.
>Second, be aware to never access directly login.html, it should be
>tomcat that send the content of login.html to user upon needing
>authentification. To make your test, for example, direct your browser to
>/index.html (yes authentifcication take place even if file does not
>exist :p). Take this into account when adding a 'link' to login form in
>your error document
>
>Now, core of problem. Tomcat sends an error 403 header along with the
>content of your error page. This happens when your credentials have been
>accepted, your are authenticated, but your don't have the required
>access right. (common example you are a 'user' but not an 'admin', you
>try to access the admin panel, tomcat will refuse you, but not present
>you the authentification form because you are already identified)
>
>
>En l'instant précis du 01/22/07 16:11, Marcel Frehner s'exprimait en ces
>termes:
> > I'm trying to set up form-based authentication in a JSF Application on
> > Tomcat 5.5.4. I've got a login page, a welcome page and an error page.
> > On entering the right username and password I get redirected to
> > welcome.jsp. On entering the wrong credentials IE displays my custom
> > error.html with a link back to login.html where I can try with the
> > right password again. So far so good.
> >
> > Firefox 2.0, however, displays "HTTP Status 403 - Access to the
> > requested resource has been denied" if the wrong credentials are
> > entered. I can't get back to the login page anymore, even with the
> > back button in the browser. Logging in with the correct credentials
> > works as expected.
> >
> > I understand that Tomcat forwards control to the error page configured
> > in web.xml if authentication fails. I can't see any browser dependency
> > here. Or does it do a redirect, i.e. go back to the browser first?
> >
> > When setting up the application I followed Sun's Java 5 EE Tutorial
> > (Chapter 30: Securing Web Applications) leaving out the mapping of
> > roles to user groups as I haven't got any server groups.
> >
> > The settings in the Tomcat admin application, which works fine, seem
> > to be equivalent to mine although hard to compare as it is Struts and
> > mine is JSF.
> >
> > I've got an index.jsp file which takes me into the faces context.
> > Could that cause problems?
> >
> > Help is appreciated very much.
> > Marcel
> >
> >
> > <?xml version="1.0" encoding="UTF-8"?>
> > <web-app id="WebApp_ID" version="2.4"
> > xmlns="http://java.sun.com/xml/ns/j2ee"
> > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
> > xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee
> > http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd">
> > <display-name>sec24</display-name>
> > <servlet>
> > <servlet-name>Faces Servlet</servlet-name>
> > <servlet-class>javax.faces.webapp.FacesServlet</servlet-class>
> > <load-on-startup>1</load-on-startup>
> > <security-role-ref>
> > <role-name>loginUser</role-name>
> > <role-link>loginUser</role-link>
> > </security-role-ref>
> > </servlet>
> > <servlet-mapping>
> > <servlet-name>Faces Servlet</servlet-name>
> > <url-pattern>*.faces</url-pattern>
> > </servlet-mapping>
> > <welcome-file-list>
> > <welcome-file>index.jsp</welcome-file>
> > </welcome-file-list>
> > <security-constraint>
> > <display-name>SecurityConstraint</display-name>
> > <web-resource-collection>
> > <web-resource-name>WRCollection</web-resource-name>
> > <url-pattern>/*</url-pattern>
> > </web-resource-collection>
> > <auth-constraint>
> > <role-name>loginUser</role-name>
> > </auth-constraint>
> > </security-constraint>
> >
> > <login-config>
> > <auth-method>FORM</auth-method>
> > <realm-name>security</realm-name>
> > <form-login-config>
> > <form-login-page>/login.html</form-login-page>
> > <form-error-page>/error.html</form-error-page>
> > </form-login-config>
> > </login-config>
> > <security-role>
> > <role-name>loginUser</role-name>
> > </security-role>
> > </web-app>
> >
> >
> >
> >
> > --
> > dipl. geogr. Marcel Frehner
> > Wissenschaftlicher Mitarbeiter
> > Eidgenössische Forschungsanstalt für Wald, Schnee und Landschaft WSL
> > Abteilung Landschaftsinventuren
> > Zürcherstrasse 111
> > 8903 Birmensdorf
> >
> > Tel. +41-44-739 26 83
> > marcel.frehner@wsl.ch
> > http://www.wsl.ch
> >
> > ----------------------------
> >
> >
> > ---------------------------------------------------------------------
> > To start a new topic, e-mail: users@tomcat.apache.org
> > To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> > For additional commands, e-mail: users-help@tomcat.apache.org
> >
>
>
>---------------------------------------------------------------------
>To start a new topic, e-mail: users@tomcat.apache.org
>To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>For additional commands, e-mail: users-help@tomcat.apache.org
--
dipl. geogr. Marcel Frehner
Wissenschaftlicher Mitarbeiter
Eidgenössische Forschungsanstalt für Wald, Schnee und Landschaft WSL
Abteilung Landschaftsinventuren
Zürcherstrasse 111
8903 Birmensdorf
Tel. +41-44-739 26 83
marcel.frehner@wsl.ch
http://www.wsl.ch
----------------------------
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Access to error page denied in Firefox 2.0
Posted by David Delbecq <de...@oma.be>.
I see several potential problems as a side note before the core problem...
First, you map your security constraint to /*, that mean *nothing* in
your webapp will be accessible prior to login, this includes pictures, css.
Second, be aware to never access directly login.html, it should be
tomcat that send the content of login.html to user upon needing
authentification. To make your test, for example, direct your browser to
/index.html (yes authentifcication take place even if file does not
exist :p). Take this into account when adding a 'link' to login form in
your error document
Now, core of problem. Tomcat sends an error 403 header along with the
content of your error page. This happens when your credentials have been
accepted, your are authenticated, but your don't have the required
access right. (common example you are a 'user' but not an 'admin', you
try to access the admin panel, tomcat will refuse you, but not present
you the authentification form because you are already identified)
En l'instant précis du 01/22/07 16:11, Marcel Frehner s'exprimait en ces
termes:
> I'm trying to set up form-based authentication in a JSF Application on
> Tomcat 5.5.4. I've got a login page, a welcome page and an error page.
> On entering the right username and password I get redirected to
> welcome.jsp. On entering the wrong credentials IE displays my custom
> error.html with a link back to login.html where I can try with the
> right password again. So far so good.
>
> Firefox 2.0, however, displays "HTTP Status 403 - Access to the
> requested resource has been denied" if the wrong credentials are
> entered. I can't get back to the login page anymore, even with the
> back button in the browser. Logging in with the correct credentials
> works as expected.
>
> I understand that Tomcat forwards control to the error page configured
> in web.xml if authentication fails. I can't see any browser dependency
> here. Or does it do a redirect, i.e. go back to the browser first?
>
> When setting up the application I followed Sun's Java 5 EE Tutorial
> (Chapter 30: Securing Web Applications) leaving out the mapping of
> roles to user groups as I haven't got any server groups.
>
> The settings in the Tomcat admin application, which works fine, seem
> to be equivalent to mine although hard to compare as it is Struts and
> mine is JSF.
>
> I've got an index.jsp file which takes me into the faces context.
> Could that cause problems?
>
> Help is appreciated very much.
> Marcel
>
>
> <?xml version="1.0" encoding="UTF-8"?>
> <web-app id="WebApp_ID" version="2.4"
> xmlns="http://java.sun.com/xml/ns/j2ee"
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
> xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee
> http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd">
> <display-name>sec24</display-name>
> <servlet>
> <servlet-name>Faces Servlet</servlet-name>
> <servlet-class>javax.faces.webapp.FacesServlet</servlet-class>
> <load-on-startup>1</load-on-startup>
> <security-role-ref>
> <role-name>loginUser</role-name>
> <role-link>loginUser</role-link>
> </security-role-ref>
> </servlet>
> <servlet-mapping>
> <servlet-name>Faces Servlet</servlet-name>
> <url-pattern>*.faces</url-pattern>
> </servlet-mapping>
> <welcome-file-list>
> <welcome-file>index.jsp</welcome-file>
> </welcome-file-list>
> <security-constraint>
> <display-name>SecurityConstraint</display-name>
> <web-resource-collection>
> <web-resource-name>WRCollection</web-resource-name>
> <url-pattern>/*</url-pattern>
> </web-resource-collection>
> <auth-constraint>
> <role-name>loginUser</role-name>
> </auth-constraint>
> </security-constraint>
>
> <login-config>
> <auth-method>FORM</auth-method>
> <realm-name>security</realm-name>
> <form-login-config>
> <form-login-page>/login.html</form-login-page>
> <form-error-page>/error.html</form-error-page>
> </form-login-config>
> </login-config>
> <security-role>
> <role-name>loginUser</role-name>
> </security-role>
> </web-app>
>
>
>
>
> --
> dipl. geogr. Marcel Frehner
> Wissenschaftlicher Mitarbeiter
> Eidgenössische Forschungsanstalt für Wald, Schnee und Landschaft WSL
> Abteilung Landschaftsinventuren
> Zürcherstrasse 111
> 8903 Birmensdorf
>
> Tel. +41-44-739 26 83
> marcel.frehner@wsl.ch
> http://www.wsl.ch
>
> ----------------------------
>
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org