'Re: 404 for j_security_check'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       tomcat-user
Subject:    Re: 404 for j_security_check
From:       Christopher Schultz <chris () christopherschultz ! net>
Date:       2024-03-15 16:18:43
Message-ID: d08ac627-94bf-4b16-b530-4e9813438f62 () christopherschultz ! net
[Download RAW message or body]

Rick,

On 3/14/24 15:37, Rick Noel wrote:
> After moving from tomcat 9 to tomcat 10 after a user successfully
> logs in and then hits a restricted page, the login page is hit again
> but on this second login hit I get 404 page not found
This is actually expected, since j_security_check is only supposed to be 
used when the container (Tomcat) interrupts a user workflow to request 
authentication.

> How do I set the correct path in my  login jsp so that
> j_security_check is found?
> 
> BTW  I actually am wondering why a  successful logged on user would
> even be sent to the log in page again?
That's more of a question for your application than anything else.

> My login page  is ->   /membership/login.jsp
> 
> Here is how I set the path to  j_security_check in above login.jsp
> 
> <form name="login_form" action='j_security_check' method='POST'>
> 
> My restricted  web.xml snippet............

Are you doing what I call a "direct login" where you have a "login page" 
that most users hit first. Like from example.com/app/ where there is no 
initial request for a protected resource? Or are your users always (1) 
requesting a protected resource then (2) Tomcat requests authentication 
then (3) the user is forwarded to the resource originally requested in (1)?

> <security-constraint>
> <web-resource-collection>
> <web-resource-name>External</web-resource-name>
> <url-pattern>/external/*</url-pattern>
> </web-resource-collection>
> <auth-constraint>
> <role-name>radiovoodoo</role-name>
> </auth-constraint>
> <user-data-constraint>
> <transport-guarantee>NONE</transport-guarantee>
> </user-data-constraint>
> </security-constraint>
> <security-constraint>
> <web-resource-collection>
> <web-resource-name>Auth</web-resource-name>
> <url-pattern>/auth/*</url-pattern>
> </web-resource-collection>
> <auth-constraint>
> <role-name>radiovoodoo</role-name>
> </auth-constraint>
> <user-data-constraint>
> <transport-guarantee>NONE</transport-guarantee>
> </user-data-constraint>
> </security-constraint>
> <login-config>
> <auth-method>FORM</auth-method>
> <form-login-config>
> <form-login-page>/membership/login.jsp</form-login-page>
> <form-error-page>/membership/error.jsp</form-error-page>
> </form-login-config>
> </login-config>

Those <transport-guarantee>NONE</transport-guarantee> lines look weird 
to me. Why are you explicitly specifying those? What part of your 
configuration actually requests authentication and authorization?

-chris

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic