You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by bu...@apache.org on 2008/08/29 04:47:56 UTC
DO NOT REPLY [Bug 45710] New: FormAuthenticator - Request
Parameters are lost after authentication
https://issues.apache.org/bugzilla/show_bug.cgi?id=45710
Summary: FormAuthenticator - Request Parameters are lost after
authentication
Product: Tomcat 5
Version: 5.5.25
Platform: PC
OS/Version: Windows XP
Status: NEW
Severity: normal
Priority: P3
Component: Catalina:Modules
AssignedTo: tomcat-dev@jakarta.apache.org
ReportedBy: kamalasekar.r@gmail.com
We have two web applications, one running in Tomcat 5.0.30 (source) and the
other one running in Tomcat 5.5.25 (target).
The target application (uses JSP pages) running in Tomcat 5.5.25 uses Form
Based Authentication as Security Constraint for the web pages inside the
application.
The source application running in Tomcat 5.0.30 programmatically authenticates
the user and obtains a jsessionid. The jsessionid thus obtained is sent to the
target web page along with other user defined parameters
(parm1=value&parm2=value) using response.sendRedirect().
But, the target page (running in Tomcat 5.5.25) never receives the user defined
parameters, leading to incorrect URL apparently causing the Page Not found
error.
Please note that the difference in Tomcat versions does not have anything to do
with the problem. Even, when I had both the applications (contexts) running in
the same server, I saw the Page Not Found error.
Note : I have the SSO turned on in my tomcat server(hosting target
application).
Steps to create the issue:
-------------------------
1) Create a sample JSP page in one Context that programmatically authenticates
the other application running in same server.
2) Once the jsessionid value is retrieved. Form the URL say
http://localhost:8080/myapp2/Controller;jsessionid=164037ED017BDA8818ACBF930B6AD92F?view=myPage2.jsp&parm1=value1&parm2=value2
where Controller is the servlet that directs request to the JSP page.
3) In the target server, create a JSP page (myPage2.jsp) that will simply call
the request.getParameter() to print the parameter values.
I get null as the parameter value.
Please let me know if you need more information. I turned on the log level as
debug for Catalina Core packages and I see the RequestDumper valve do print the
queryString that contains parameter values while when it gets down to the
Filter/Servlet, the queryString contains only the target page (i.e.
view=myPage2.jsp) and not the parameter values
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
DO NOT REPLY [Bug 45710] FormAuthenticator - Request Parameters are
lost after authentication
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=45710
--- Comment #2 from Kamal <ka...@gmail.com> 2008-09-09 09:23:53 PST ---
Thanks Mark. I found the problem with my code where we retrieve the Jsessionid
using an URL (that does include parameters) and the first request after the
Jsessionid (authenticated using j_security_check) includes the parameters.
Obviously, the request URLs are different now and the Tomcat 5.5 restores the
URL (redirect Location) with no parameters that was used to retrieve the
Jsessionid from the server.
In short, the approach I used is as follows (might help others looking for a
solution)
App A uses Form Authentication
1) Call the App A (running in Server 1) through URL (say with parameters) from
App B (running in server 2)
2) The server returns the response with Jsessionid (iterate the headers/cookies
to retrieve one)
3) Append the Jsessionid to the j_security_check along with username/password
and the response header returns the same Jsessionid (authenticated by server)
4) Now, call the App A again with the same URL we used in Step 1.
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
DO NOT REPLY [Bug 45710] FormAuthenticator - Request Parameters are
lost after authentication
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=45710
Mark Thomas <ma...@apache.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution| |INVALID
--- Comment #1 from Mark Thomas <ma...@apache.org> 2008-08-29 03:26:45 PST ---
There isn't enough information here, particularly on how the controller is
coded, to reproduce this.
This looks like an application issue at the moment and therefore this should be
explored further on the users list.
I would suggest using ieHttpHeaders or LiveHttpHeaders to confirm exactly what
the client is sending. This should enable you to construct a much simpler test
case.
If the discussion on the users list IDs a Tomcat bug, please feel free to
reopen this issue and attach the details.
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org