[prev in list] [next in list] [prev in thread] [next in thread]
List: tomcat-user
Subject: Re: 404 for j_security_check
From: Christopher Schultz <chris () christopherschultz ! net>
Date: 2024-03-15 16:18:43
Message-ID: d08ac627-94bf-4b16-b530-4e9813438f62 () christopherschultz ! net
[Download RAW message or body]
Rick,
On 3/14/24 15:37, Rick Noel wrote:
> After moving from tomcat 9 to tomcat 10 after a user successfully
> logs in and then hits a restricted page, the login page is hit again
> but on this second login hit I get 404 page not found
This is actually expected, since j_security_check is only supposed to be
used when the container (Tomcat) interrupts a user workflow to request
authentication.
> How do I set the correct path in my login jsp so that
> j_security_check is found?
>
> BTW I actually am wondering why a successful logged on user would
> even be sent to the log in page again?
That's more of a question for your application than anything else.
> My login page is -> /membership/login.jsp
>
> Here is how I set the path to j_security_check in above login.jsp
>
> <form name="login_form" action='j_security_check' method='POST'>
>
> My restricted web.xml snippet............
Are you doing what I call a "direct login" where you have a "login page"
that most users hit first. Like from example.com/app/ where there is no
initial request for a protected resource? Or are your users always (1)
requesting a protected resource then (2) Tomcat requests authentication
then (3) the user is forwarded to the resource originally requested in (1)?
> <security-constraint>
> <web-resource-collection>
> <web-resource-name>External</web-resource-name>
> <url-pattern>/external/*</url-pattern>
> </web-resource-collection>
> <auth-constraint>
> <role-name>radiovoodoo</role-name>
> </auth-constraint>
> <user-data-constraint>
> <transport-guarantee>NONE</transport-guarantee>
> </user-data-constraint>
> </security-constraint>
> <security-constraint>
> <web-resource-collection>
> <web-resource-name>Auth</web-resource-name>
> <url-pattern>/auth/*</url-pattern>
> </web-resource-collection>
> <auth-constraint>
> <role-name>radiovoodoo</role-name>
> </auth-constraint>
> <user-data-constraint>
> <transport-guarantee>NONE</transport-guarantee>
> </user-data-constraint>
> </security-constraint>
> <login-config>
> <auth-method>FORM</auth-method>
> <form-login-config>
> <form-login-page>/membership/login.jsp</form-login-page>
> <form-error-page>/membership/error.jsp</form-error-page>
> </form-login-config>
> </login-config>
Those <transport-guarantee>NONE</transport-guarantee> lines look weird
to me. Why are you explicitly specifying those? What part of your
configuration actually requests authentication and authorization?
-chris
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic