REALM question

[Rusty Bawa]

Greetings,
I was wondering if anyone found a workaround the following mystery.
I have a tomcat ver. 5-24 that uses realm authentication.

I use form authentication, which, by the way, work great. Below is the
snip from my web.xml file

<security-constraint>
<web-resource-collection>
<web-resource-name>User Section</web-resource-name>
<description>no description</description>
<url-pattern>/protected/*</url-pattern>
<http-method>POST</http-method>
<http-method>GET</http-method>
</web-resource-collection>
<auth-constraint>
<description>no description</description>
<role-name>tomcat</role-name>
</auth-constraint>
<user-data-constraint>
<description>no description</description>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>


<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/login.jsp</form-login-page>
<form-error-page>/login.jsp?error=true</form-error-page>
</form-login-config>
</login-config>


when i try to access any files in the protected directory i am
redirected to
login.jsp, as expected. the IE location bar says
http://xxx.xxx.xxx.xxx/login.jsp
when i enter incorrect name/password i am redirected back to login.jsp
with querystring error=true. so the above configuration works.
But the IE location bar says http://xxx.xxx.xxx.xxx/j_security_check
is there a way to show the http://xxx.xxx.xxx.xxx/login.jsp?error=true
instead of http://xxx.xxx.xxx.xxx/j_security_check? this could be
confusing to users.

Any help is appreciated.

Rus

 

[Ryan Stewart]

But the IE location bar says http://xxx.xxx.xxx.xxx/j_security_check
is there a way to show the http://xxx.xxx.xxx.xxx/login.jsp?error=true
instead of http://xxx.xxx.xxx.xxx/j_security_check? this could be
confusing to users.

This is a browser thing and a source of continual headaches to web
developers. Consider Struts where everything is (should be) done by an
action. Suppose you want to add a user or something. What do you do? Fill
out the form, click submit, and what's in the address bar? The add action.
So if you hit refresh, it'll try to add again. Of course Struts has a method
to prevent things like this, but the short answer to your question (too
late, huh?) is not without writing an intermediate page that will redirect
you to your login page.

I have a question for you, though. I've recently been experimenting with
container managed security, and have hit a problem. I notice you don't seem
to be using SSL for your login form. Have you tried it? I'm using Tomcat
4.1.30 with SSL. Basic authentication works fine, but when I try form based
auth, it uses secure protocol, but on the wrong port. It tries to access
https://localhost:8080/secureApp/login.jsp. 8080 is the non-secure port. It
should be trying 8081, which I set as the secure port. Have you run into
this? I can't figure out what's wrong.

 

[Jimbo Johnes]

I do not know how, but this can be done.
Check www.vectrics.com
going to http://www.vectrics.com/recruit/profile requires
authentication so you are forwarded to
http://www.vectrics.com/recruit/util/login.do
Hit sign in button and check the location bar.

Again I do not know who this is done.

 

[Oscar kind]

I've recently been experimenting with
container managed security, and have hit a problem. I notice you don't seem
to be using SSL for your login form. Have you tried it? I'm using Tomcat
4.1.30 with SSL. Basic authentication works fine, but when I try form based
auth, it uses secure protocol, but on the wrong port. It tries to access
https://localhost:8080/secureApp/login.jsp. 8080 is the non-secure port. It
should be trying 8081, which I set as the secure port. Have you run into
this? I can't figure out what's wrong.

Assuming that both connectors are configured, does the connector for port
8080 know that the secure port is 8081? I forgot that one once...


Oscar

 

[Ryan Stewart]

Assuming that both connectors are configured, does the connector for port
8080 know that the secure port is 8081? I forgot that one once...


Oscar

Snippet from my connectors:
<Connector className="org.apache.coyote.tomcat4.CoyoteConnector" ...
port="8080" ... redirectPort="8081" scheme="http" secure="false" ...>
<Factory
className="org.apache.catalina.net.DefaultServerSocketFactory"/>
</Connector>
<Connector className="org.apache.coyote.tomcat4.CoyoteConnector" ...
port="8009" ... redirectPort="8081" scheme="http" secure="false" ... >
<Factory
className="org.apache.catalina.net.DefaultServerSocketFactory"/>
</Connector>
<Connector className="org.apache.catalina.connector.http.HttpConnector"
port="8081" ... scheme="https" secure="true">
<Factory className="org.apache.catalina.net.SSLServerSocketFactory"
clientAuth="false" keystoreFile=".keystore" protocol="TLS"/>
</Connector>

Isn't that all the important stuff? This is the same problem that you
replied to about a week ago under subject: "J2EE container managed
security". If you recall from that post, other redirects work fine from the
nonsecure to the secure port, but when I try to use form-based
authentication with <transport-guarantee>CONFIDENTIAL</transport-guarantee>,
it tries to access the nonsecure port with https. Unless I'm mistaken, it's
*supposed* to go to the secure port for the login. It only makes sense for
it to. It just seems like it only makes it halfway there. I've even
downloaded some example code of form-based authentication. One was a
complete webapp. But all of the examples I see don't use a
transport-guarantee or use NONE, and when I plug in CONFIDENTIAL, it causes
this problem.