FAQ
I'm trying to set up form-based authentication in a JSF Application on
Tomcat 5.5.4. I've got a login page, a welcome page and an error page. On
entering the right username and password I get redirected to welcome.jsp.
On entering the wrong credentials IE displays my custom error.html with a
link back to login.html where I can try with the right password again. So
far so good.

Firefox 2.0, however, displays "HTTP Status 403 - Access to the requested
resource has been denied" if the wrong credentials are entered. I can't get
back to the login page anymore, even with the back button in the browser.
Logging in with the correct credentials works as expected.

I understand that Tomcat forwards control to the error page configured in
web.xml if authentication fails. I can't see any browser dependency here.
Or does it do a redirect, i.e. go back to the browser first?

When setting up the application I followed Sun's Java 5 EE Tutorial
(Chapter 30: Securing Web Applications) leaving out the mapping of roles to
user groups as I haven't got any server groups.

The settings in the Tomcat admin application, which works fine, seem to be
equivalent to mine although hard to compare as it is Struts and mine is JSF.

I've got an index.jsp file which takes me into the faces context. Could
that cause problems?

Help is appreciated very much.
Marcel


<?xml version="1.0" encoding="UTF-8"?>
<web-app id="WebApp_ID" version="2.4"
xmlns="http://java.sun.com/xml/ns/j2ee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee
" rel="nofollow">http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd">
<display-name>sec24</display-name>
<servlet>
<servlet-name>Faces Servlet</servlet-name>
<servlet-class>javax.faces.webapp.FacesServlet</servlet-class>
<load-on-startup>1</load-on-startup>
<security-role-ref>
<role-name>loginUser</role-name>
<role-link>loginUser</role-link>
</security-role-ref>
</servlet>
<servlet-mapping>
<servlet-name>Faces Servlet</servlet-name>
<url-pattern>*.faces</url-pattern>
</servlet-mapping>
<welcome-file-list>
<welcome-file>index.jsp</welcome-file>
</welcome-file-list>
<security-constraint>
<display-name>SecurityConstraint</display-name>
<web-resource-collection>
<web-resource-name>WRCollection</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>loginUser</role-name>
</auth-constraint>
</security-constraint>

<login-config>
<auth-method>FORM</auth-method>
<realm-name>security</realm-name>
<form-login-config>
<form-login-page>/login.html</form-login-page>
<form-error-page>/error.html</form-error-page>
</form-login-config>
</login-config>
<security-role>
<role-name>loginUser</role-name>
</security-role>
</web-app>




--
dipl. geogr. Marcel Frehner
Wissenschaftlicher Mitarbeiter
Eidgenössische Forschungsanstalt für Wald, Schnee und Landschaft WSL
Abteilung Landschaftsinventuren
Zürcherstrasse 111
8903 Birmensdorf

Tel. +41-44-739 26 83
marcel.frehner@wsl.ch
http://www.wsl.ch

----------------------------


---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Search Discussions

  • David Delbecq at Jan 22, 2007 at 3:29 pm
    I see several potential problems as a side note before the core problem...
    First, you map your security constraint to /*, that mean *nothing* in
    your webapp will be accessible prior to login, this includes pictures, css.
    Second, be aware to never access directly login.html, it should be
    tomcat that send the content of login.html to user upon needing
    authentification. To make your test, for example, direct your browser to
    /index.html (yes authentifcication take place even if file does not
    exist :p). Take this into account when adding a 'link' to login form in
    your error document

    Now, core of problem. Tomcat sends an error 403 header along with the
    content of your error page. This happens when your credentials have been
    accepted, your are authenticated, but your don't have the required
    access right. (common example you are a 'user' but not an 'admin', you
    try to access the admin panel, tomcat will refuse you, but not present
    you the authentification form because you are already identified)


    En l'instant précis du 01/22/07 16:11, Marcel Frehner s'exprimait en ces
    termes:
    I'm trying to set up form-based authentication in a JSF Application on
    Tomcat 5.5.4. I've got a login page, a welcome page and an error page.
    On entering the right username and password I get redirected to
    welcome.jsp. On entering the wrong credentials IE displays my custom
    error.html with a link back to login.html where I can try with the
    right password again. So far so good.

    Firefox 2.0, however, displays "HTTP Status 403 - Access to the
    requested resource has been denied" if the wrong credentials are
    entered. I can't get back to the login page anymore, even with the
    back button in the browser. Logging in with the correct credentials
    works as expected.

    I understand that Tomcat forwards control to the error page configured
    in web.xml if authentication fails. I can't see any browser dependency
    here. Or does it do a redirect, i.e. go back to the browser first?

    When setting up the application I followed Sun's Java 5 EE Tutorial
    (Chapter 30: Securing Web Applications) leaving out the mapping of
    roles to user groups as I haven't got any server groups.

    The settings in the Tomcat admin application, which works fine, seem
    to be equivalent to mine although hard to compare as it is Struts and
    mine is JSF.

    I've got an index.jsp file which takes me into the faces context.
    Could that cause problems?

    Help is appreciated very much.
    Marcel


    <?xml version="1.0" encoding="UTF-8"?>
    <web-app id="WebApp_ID" version="2.4"
    xmlns="http://java.sun.com/xml/ns/j2ee"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee
    " rel="nofollow">http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd">
    <display-name>sec24</display-name>
    <servlet>
    <servlet-name>Faces Servlet</servlet-name>
    <servlet-class>javax.faces.webapp.FacesServlet</servlet-class>
    <load-on-startup>1</load-on-startup>
    <security-role-ref>
    <role-name>loginUser</role-name>
    <role-link>loginUser</role-link>
    </security-role-ref>
    </servlet>
    <servlet-mapping>
    <servlet-name>Faces Servlet</servlet-name>
    <url-pattern>*.faces</url-pattern>
    </servlet-mapping>
    <welcome-file-list>
    <welcome-file>index.jsp</welcome-file>
    </welcome-file-list>
    <security-constraint>
    <display-name>SecurityConstraint</display-name>
    <web-resource-collection>
    <web-resource-name>WRCollection</web-resource-name>
    <url-pattern>/*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
    <role-name>loginUser</role-name>
    </auth-constraint>
    </security-constraint>

    <login-config>
    <auth-method>FORM</auth-method>
    <realm-name>security</realm-name>
    <form-login-config>
    <form-login-page>/login.html</form-login-page>
    <form-error-page>/error.html</form-error-page>
    </form-login-config>
    </login-config>
    <security-role>
    <role-name>loginUser</role-name>
    </security-role>
    </web-app>




    --
    dipl. geogr. Marcel Frehner
    Wissenschaftlicher Mitarbeiter
    Eidgenössische Forschungsanstalt für Wald, Schnee und Landschaft WSL
    Abteilung Landschaftsinventuren
    Zürcherstrasse 111
    8903 Birmensdorf

    Tel. +41-44-739 26 83
    marcel.frehner@wsl.ch
    http://www.wsl.ch

    ----------------------------


    ---------------------------------------------------------------------
    To start a new topic, e-mail: users@tomcat.apache.org
    To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
    For additional commands, e-mail: users-help@tomcat.apache.org

    ---------------------------------------------------------------------
    To start a new topic, e-mail: users@tomcat.apache.org
    To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
    For additional commands, e-mail: users-help@tomcat.apache.org
  • Marcel Frehner at Jan 22, 2007 at 4:06 pm
    Thank you for your answer David. My conclusion would be to move my
    protected resources to a separate folder and adjust my web.xml accordingly.
    Of course you were absolutely right about the 403 status. My Firefox had an
    existing but not authorised user stored and I kept testing with that one.

    And instead of a link from the error.html back to the login.html, I would
    either add a login form to the error page or link to a page that needs
    authentication and causes Tomcat to return the login form again, wouldn't I?

    I think I understand that now, thanks!
    Marcel
    At 16:29 22.01.2007 +0100, you wrote:
    I see several potential problems as a side note before the core problem...
    First, you map your security constraint to /*, that mean *nothing* in
    your webapp will be accessible prior to login, this includes pictures, css.
    Second, be aware to never access directly login.html, it should be
    tomcat that send the content of login.html to user upon needing
    authentification. To make your test, for example, direct your browser to
    /index.html (yes authentifcication take place even if file does not
    exist :p). Take this into account when adding a 'link' to login form in
    your error document

    Now, core of problem. Tomcat sends an error 403 header along with the
    content of your error page. This happens when your credentials have been
    accepted, your are authenticated, but your don't have the required
    access right. (common example you are a 'user' but not an 'admin', you
    try to access the admin panel, tomcat will refuse you, but not present
    you the authentification form because you are already identified)


    En l'instant précis du 01/22/07 16:11, Marcel Frehner s'exprimait en ces
    termes:
    I'm trying to set up form-based authentication in a JSF Application on
    Tomcat 5.5.4. I've got a login page, a welcome page and an error page.
    On entering the right username and password I get redirected to
    welcome.jsp. On entering the wrong credentials IE displays my custom
    error.html with a link back to login.html where I can try with the
    right password again. So far so good.

    Firefox 2.0, however, displays "HTTP Status 403 - Access to the
    requested resource has been denied" if the wrong credentials are
    entered. I can't get back to the login page anymore, even with the
    back button in the browser. Logging in with the correct credentials
    works as expected.

    I understand that Tomcat forwards control to the error page configured
    in web.xml if authentication fails. I can't see any browser dependency
    here. Or does it do a redirect, i.e. go back to the browser first?

    When setting up the application I followed Sun's Java 5 EE Tutorial
    (Chapter 30: Securing Web Applications) leaving out the mapping of
    roles to user groups as I haven't got any server groups.

    The settings in the Tomcat admin application, which works fine, seem
    to be equivalent to mine although hard to compare as it is Struts and
    mine is JSF.

    I've got an index.jsp file which takes me into the faces context.
    Could that cause problems?

    Help is appreciated very much.
    Marcel


    <?xml version="1.0" encoding="UTF-8"?>
    <web-app id="WebApp_ID" version="2.4"
    xmlns="http://java.sun.com/xml/ns/j2ee"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee
    " rel="nofollow">http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd">
    <display-name>sec24</display-name>
    <servlet>
    <servlet-name>Faces Servlet</servlet-name>
    <servlet-class>javax.faces.webapp.FacesServlet</servlet-class>
    <load-on-startup>1</load-on-startup>
    <security-role-ref>
    <role-name>loginUser</role-name>
    <role-link>loginUser</role-link>
    </security-role-ref>
    </servlet>
    <servlet-mapping>
    <servlet-name>Faces Servlet</servlet-name>
    <url-pattern>*.faces</url-pattern>
    </servlet-mapping>
    <welcome-file-list>
    <welcome-file>index.jsp</welcome-file>
    </welcome-file-list>
    <security-constraint>
    <display-name>SecurityConstraint</display-name>
    <web-resource-collection>
    <web-resource-name>WRCollection</web-resource-name>
    <url-pattern>/*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
    <role-name>loginUser</role-name>
    </auth-constraint>
    </security-constraint>

    <login-config>
    <auth-method>FORM</auth-method>
    <realm-name>security</realm-name>
    <form-login-config>
    <form-login-page>/login.html</form-login-page>
    <form-error-page>/error.html</form-error-page>
    </form-login-config>
    </login-config>
    <security-role>
    <role-name>loginUser</role-name>
    </security-role>
    </web-app>




    --
    dipl. geogr. Marcel Frehner
    Wissenschaftlicher Mitarbeiter
    Eidgenössische Forschungsanstalt für Wald, Schnee und Landschaft WSL
    Abteilung Landschaftsinventuren
    Zürcherstrasse 111
    8903 Birmensdorf

    Tel. +41-44-739 26 83
    marcel.frehner@wsl.ch
    http://www.wsl.ch

    ----------------------------


    ---------------------------------------------------------------------
    To start a new topic, e-mail: users@tomcat.apache.org
    To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
    For additional commands, e-mail: users-help@tomcat.apache.org

    ---------------------------------------------------------------------
    To start a new topic, e-mail: users@tomcat.apache.org
    To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
    For additional commands, e-mail: users-help@tomcat.apache.org



    --
    dipl. geogr. Marcel Frehner
    Wissenschaftlicher Mitarbeiter
    Eidgenössische Forschungsanstalt für Wald, Schnee und Landschaft WSL
    Abteilung Landschaftsinventuren
    Zürcherstrasse 111
    8903 Birmensdorf

    Tel. +41-44-739 26 83
    marcel.frehner@wsl.ch
    http://www.wsl.ch

    ----------------------------


    ---------------------------------------------------------------------
    To start a new topic, e-mail: users@tomcat.apache.org
    To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
    For additional commands, e-mail: users-help@tomcat.apache.org
  • David Delbecq at Jan 23, 2007 at 12:26 pm
    En l'instant précis du 01/22/07 17:05, Marcel Frehner s'exprimait en ces
    termes:
    Thank you for your answer David. My conclusion would be to move my
    protected resources to a separate folder and adjust my web.xml
    accordingly. Of course you were absolutely right about the 403 status.
    My Firefox had an existing but not authorised user stored and I kept
    testing with that one.

    And instead of a link from the error.html back to the login.html, I
    would either add a login form to the error page or link to a page that
    needs authentication and causes Tomcat to return the login form again,
    wouldn't I?
    Add a link on error page back to an area needing authentification, so
    tomcat show login again.
    I think I understand that now, thanks!
    Marcel
    At 16:29 22.01.2007 +0100, you wrote:
    I see several potential problems as a side note before the core
    problem...
    First, you map your security constraint to /*, that mean *nothing* in
    your webapp will be accessible prior to login, this includes
    pictures, css.
    Second, be aware to never access directly login.html, it should be
    tomcat that send the content of login.html to user upon needing
    authentification. To make your test, for example, direct your browser to
    /index.html (yes authentifcication take place even if file does not
    exist :p). Take this into account when adding a 'link' to login form in
    your error document

    Now, core of problem. Tomcat sends an error 403 header along with the
    content of your error page. This happens when your credentials have been
    accepted, your are authenticated, but your don't have the required
    access right. (common example you are a 'user' but not an 'admin', you
    try to access the admin panel, tomcat will refuse you, but not present
    you the authentification form because you are already identified)


    En l'instant précis du 01/22/07 16:11, Marcel Frehner s'exprimait en ces
    termes:
    I'm trying to set up form-based authentication in a JSF Application on
    Tomcat 5.5.4. I've got a login page, a welcome page and an error page.
    On entering the right username and password I get redirected to
    welcome.jsp. On entering the wrong credentials IE displays my custom
    error.html with a link back to login.html where I can try with the
    right password again. So far so good.

    Firefox 2.0, however, displays "HTTP Status 403 - Access to the
    requested resource has been denied" if the wrong credentials are
    entered. I can't get back to the login page anymore, even with the
    back button in the browser. Logging in with the correct credentials
    works as expected.

    I understand that Tomcat forwards control to the error page configured
    in web.xml if authentication fails. I can't see any browser dependency
    here. Or does it do a redirect, i.e. go back to the browser first?

    When setting up the application I followed Sun's Java 5 EE Tutorial
    (Chapter 30: Securing Web Applications) leaving out the mapping of
    roles to user groups as I haven't got any server groups.

    The settings in the Tomcat admin application, which works fine, seem
    to be equivalent to mine although hard to compare as it is Struts and
    mine is JSF.

    I've got an index.jsp file which takes me into the faces context.
    Could that cause problems?

    Help is appreciated very much.
    Marcel


    <?xml version="1.0" encoding="UTF-8"?>
    <web-app id="WebApp_ID" version="2.4"
    xmlns="http://java.sun.com/xml/ns/j2ee"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee
    " rel="nofollow">http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd">
    <display-name>sec24</display-name>
    <servlet>
    <servlet-name>Faces Servlet</servlet-name>
    <servlet-class>javax.faces.webapp.FacesServlet</servlet-class>
    <load-on-startup>1</load-on-startup>
    <security-role-ref>
    <role-name>loginUser</role-name>
    <role-link>loginUser</role-link>
    </security-role-ref>
    </servlet>
    <servlet-mapping>
    <servlet-name>Faces Servlet</servlet-name>
    <url-pattern>*.faces</url-pattern>
    </servlet-mapping>
    <welcome-file-list>
    <welcome-file>index.jsp</welcome-file>
    </welcome-file-list>
    <security-constraint>
    <display-name>SecurityConstraint</display-name>
    <web-resource-collection>
    <web-resource-name>WRCollection</web-resource-name>
    <url-pattern>/*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
    <role-name>loginUser</role-name>
    </auth-constraint>
    </security-constraint>

    <login-config>
    <auth-method>FORM</auth-method>
    <realm-name>security</realm-name>
    <form-login-config>
    <form-login-page>/login.html</form-login-page>
    <form-error-page>/error.html</form-error-page>
    </form-login-config>
    </login-config>
    <security-role>
    <role-name>loginUser</role-name>
    </security-role>
    </web-app>




    --
    dipl. geogr. Marcel Frehner
    Wissenschaftlicher Mitarbeiter
    Eidgenössische Forschungsanstalt für Wald, Schnee und Landschaft WSL
    Abteilung Landschaftsinventuren
    Zürcherstrasse 111
    8903 Birmensdorf

    Tel. +41-44-739 26 83
    marcel.frehner@wsl.ch
    http://www.wsl.ch

    ----------------------------


    ---------------------------------------------------------------------
    To start a new topic, e-mail: users@tomcat.apache.org
    To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
    For additional commands, e-mail: users-help@tomcat.apache.org

    ---------------------------------------------------------------------
    To start a new topic, e-mail: users@tomcat.apache.org
    To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
    For additional commands, e-mail: users-help@tomcat.apache.org



    --
    dipl. geogr. Marcel Frehner
    Wissenschaftlicher Mitarbeiter
    Eidgenössische Forschungsanstalt für Wald, Schnee und Landschaft WSL
    Abteilung Landschaftsinventuren
    Zürcherstrasse 111
    8903 Birmensdorf

    Tel. +41-44-739 26 83
    marcel.frehner@wsl.ch
    http://www.wsl.ch

    ----------------------------


    ---------------------------------------------------------------------
    To start a new topic, e-mail: users@tomcat.apache.org
    To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
    For additional commands, e-mail: users-help@tomcat.apache.org

    ---------------------------------------------------------------------
    To start a new topic, e-mail: users@tomcat.apache.org
    To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
    For additional commands, e-mail: users-help@tomcat.apache.org

Related Discussions

Discussion Navigation
viewthread | post
Discussion Overview
groupusers @
categoriestomcat
postedJan 22, '07 at 3:11p
activeJan 23, '07 at 12:26p
posts4
users2
websitetomcat.apache.org
irc#tomcat

2 users in discussion

Marcel Frehner: 2 posts David Delbecq: 2 posts

People

Translate

site design / logo © 2022 Grokbase