You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by bu...@apache.org on 2012/12/21 19:08:10 UTC

[Bug 54340] Form-based authentication + url rewriting does not work

https://issues.apache.org/bugzilla/show_bug.cgi?id=54340

--- Comment #1 from Konstantin Kolinko <kn...@gmail.com> ---
1. Tomcat version = ?

I'd guess that you are facing bug 53584, which was fixed in 7.0.30.


> On top of this (and perhaps related to these problems), in the actual web
> application a different session ID is actually printed.

2. As expected. See "changeSessionIdOnAuthentication" in
http://tomcat.apache.org/tomcat-7.0-doc/config/valve.html

3. It works for me in 7.0.34

To be sure, I changed the <web-app> element in your web.xml to use
version="3.0" and relevant version of the schema, instead of 2.3 that you are
using.

A fragment of my access log:

127.0.0.1 - - [21/Dec/2012:20:38:59 +0400] "GET /test-form-auth/protected
HTTP/1.1" 200 450
127.0.0.1 - - [21/Dec/2012:20:39:15 +0400] "POST
/test-form-auth/j_security_check;jsessionid=38B9A84964A6005AA58ABC5CDA9F6367
HTTP/1.1" 302 -
127.0.0.1 - tomcat [21/Dec/2012:20:39:15 +0400] "GET /test-form-auth/protected
HTTP/1.1" 200 59

Tested both with Firefox 17.0.1 and IE 8. Tomcat 7.0.34, BIO connector.


Though there are two bits of a mystery:
------------------
a) Why access log did print jsessionid in the second request, but did not in
the third one? FireBug shows that there was jsessionid in the request that
Firefox sent.

b) The page that is shown after the test. I tried to refresh it. It worked, but
it ended up with 2 jsessionid parameters in the URL (as displayed in the
address bar).



Steps to reproduce for b):

1. Go to
http://localhost:8080/test-form-auth/protected;jsessionid=84C65A4F88EFC446C0DADAC649BD53BE

2. Login form is displayed (as expected). Log in.

3. After logging in the test page is displayed (as expected),
but somehow the address bar shows 2 jsessionid path parameters in the URL:

http://localhost:8080/test-form-auth/protected;jsessionid=C578A9AAB9E8020B438270DD65DC174C;jsessionid=9DB72687A728F05162C1C3D1B7E94F90

Reproducible both with Firefox 17 and IE 8. Firebug shows that Location header
in the 302 response for the POST request to j_security_check had 2 jsessionid:

Location:
http://localhost:8080/test-form-auth/protected;jsessionid=C578A9AAB9E8020B438270DD65DC174C;jsessionid=9DB72687A728F05162C1C3D1B7E94F90

Access log:
127.0.0.1 - - [21/Dec/2012:21:06:31 +0400] "GET
/test-form-auth/protected;jsessionid=C578A9AAB9E8020B438270DD65DC174C HTTP/1.1"
200 450
127.0.0.1 - - [21/Dec/2012:21:06:47 +0400] "POST
/test-form-auth/j_security_check;jsessionid=9DB72687A728F05162C1C3D1B7E94F90
HTTP/1.1" 302 -
127.0.0.1 - tomcat [21/Dec/2012:21:06:47 +0400] "GET
/test-form-auth/protected;jsessionid=C578A9AAB9E8020B438270DD65DC174C HTTP/1.1"
200 59

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org