J2EE Tomcat Authentication

> On 9/2/05, John Cobo <[hidden email]> wrote:
> > I am trying to limit access to an entire
> application
> > to logged in users.  I've followed the
> > 'authentication' example the best I can, but I'm
> > getting odd results.
> > (1) the CSS seem to not get applied sometimes, and
>
> Hi John,
>
> This often happens when authentication is required
> to access the CSS.
> So you should make sure to setup the paths in your
> web.xml so that the
> CSS file can be accessed without being authentified.
>
> > (2) the appln. does not seem to know where to go
> after
> > entering the correct userid and password.  That is
> on
> > submitting the form with action /j_security_check
> I
> > get something like a java script, CSS, or jpeg
> file in
> > the browser.  Login has worked because then typing
> in
> > a secured URL is successful.
>
> Usually with Tomcat you go to a protected page with
> your browser,
> Tomcat redirects you to the login page, and after
> you have
> successfully logged in Tomcat brings you back to the
> page you were
> trying to access in the first place, whatever page
> that was. Is the
> system behaving differently for you?
>
> Alex
>
> >
> --
> You receive this message as a subscriber of the
> [hidden email] mailing list.
> To unsubscribe:
> mailto:[hidden email]
> For general help:
> mailto:[hidden email]?subject=help
> ObjectWeb mailing lists service home page:
> http://www.objectweb.org/wws
>

>
> John C.
>  
> --- Alessandro Vernet <[hidden email]> wrote:
>
> > On 9/2/05, John Cobo <[hidden email]> wrote:
> > > I am trying to limit access to an entire
> > application
> > > to logged in users.  I've followed the
> > > 'authentication' example the best I can, but I'm
> > > getting odd results.
> > > (1) the CSS seem to not get applied sometimes, and
> >
> > Hi John,
> >
> > This often happens when authentication is required
> > to access the CSS.
> > So you should make sure to setup the paths in your
> > web.xml so that the
> > CSS file can be accessed without being authentified.
> >
> > > (2) the appln. does not seem to know where to go
> > after
> > > entering the correct userid and password.  That is
> > on
> > > submitting the form with action /j_security_check
> > I
> > > get something like a java script, CSS, or jpeg
> > file in
> > > the browser.  Login has worked because then typing
> > in
> > > a secured URL is successful.
> >
> > Usually with Tomcat you go to a protected page with
> > your browser,
> > Tomcat redirects you to the login page, and after
> > you have
> > successfully logged in Tomcat brings you back to the
> > page you were
> > trying to access in the first place, whatever page
> > that was. Is the
> > system behaving differently for you?
> >
> > Alex
> >
> > >
> > --
> > You receive this message as a subscriber of the
> > [hidden email] mailing list.
> > To unsubscribe:
> > mailto:[hidden email]
> > For general help:
> > mailto:[hidden email]?subject=help
> > ObjectWeb mailing lists service home page:
> > http://www.objectweb.org/wws
> >
>
>
>
>
> ___________________________________________________________
> To help you stay safe and secure online, we've developed the all new
> Yahoo! Security Centre. http://uk.security.yahoo.com
>

>
> On Sun, 4 Sep 2005 22:01:02 +0100 (BST), "John Cobo"
> <[hidden email]> said:
> > Thanks that fixed it.  
> >
> > The re-direct problem was related to the CSS
> location.
> >
> > One question remains though.  My start page is set
> to
> > "/" as one might expect.  The page-flow directs
> this
> > to nextgen/home/main, but the security does not
> > intercept this.  I don't see how I could move the
> css
> > files above  "/" in the file structure ?
>
> John,
>
> am jumping in as Alex is on vacation.  Could you
> send me
> your web.xml and page-flow.xml?
>
> -- Thanks, Dan S
>
>
> >
> > John C.
> >  
> > --- Alessandro Vernet <[hidden email]> wrote:
> >
> > > On 9/2/05, John Cobo <[hidden email]>
> wrote:
> > > > I am trying to limit access to an entire
> > > application
> > > > to logged in users.  I've followed the
> > > > 'authentication' example the best I can, but
> I'm
> > > > getting odd results.
> > > > (1) the CSS seem to not get applied sometimes,
> and
> > >
> > > Hi John,
> > >
> > > This often happens when authentication is
> required
> > > to access the CSS.
> > > So you should make sure to setup the paths in
> your
> > > web.xml so that the
> > > CSS file can be accessed without being
> authentified.
> > >
> > > > (2) the appln. does not seem to know where to
> go
> > > after
> > > > entering the correct userid and password.
> That is
> > > on
> > > > submitting the form with action
> /j_security_check
> > > I
> > > > get something like a java script, CSS, or jpeg
> > > file in
> > > > the browser.  Login has worked because then
> typing
> > > in
> > > > a secured URL is successful.
> > >
> > > Usually with Tomcat you go to a protected page
> with
> > > your browser,
> > > Tomcat redirects you to the login page, and
> after
> > > you have
> > > successfully logged in Tomcat brings you back to
> the
> > > page you were
> > > trying to access in the first place, whatever
> page
> > > that was. Is the
> > > system behaving differently for you?
> > >
> > > Alex
> > >
> > > >
> > > --
> > > You receive this message as a subscriber of the
> > > [hidden email] mailing list.
> > > To unsubscribe:
> > > mailto:[hidden email]
> > > For general help:
> > > mailto:[hidden email]?subject=help
> > > ObjectWeb mailing lists service home page:
> > > http://www.objectweb.org/wws
> > >
> >
> >
> >
> >
> >
>

>
> > To help you stay safe and secure online, we've
> developed the all new
> > Yahoo! Security Centre.
> http://uk.security.yahoo.com
> >
>
> --
> http://www.fastmail.fm - A fast, anti-spam email
> service.
>
>
> >
> --
> You receive this message as a subscriber of the
> [hidden email] mailing list.
> To unsubscribe:
> mailto:[hidden email]
> For general help:
> mailto:[hidden email]?subject=help
> ObjectWeb mailing lists service home page:
> http://www.objectweb.org/wws
>

> OK, here is an extract from web.xml:
> ============================================
>     <security-constraint>
>         <web-resource-collection>
>            
> <web-resource-name>Nextgen</web-resource-name>
>             <url-pattern>/nextgen/*</url-pattern>
>         </web-resource-collection>
>         <auth-constraint>
>             <role-name>nextgen</role-name>
>         </auth-constraint>
>     </security-constraint>
>     <login-config>
>         <auth-method>FORM</auth-method>
>         <form-login-config>
>            
> <form-login-page>/nextgen/authentication/main/login</form-login-page>
>            
> <form-error-page>/nextgen/authentication/main/login-error</form-error-page>
>         </form-login-config>
>     </login-config>
>     <security-role>
>         <role-name>nextgen</role-name>
>     </security-role>
> ================================================
> The important parts of page-flow.xml are:
> ================================================
> <!-- commented out for now because it bypasses Tomcat
> security  
>     <page id="start" path-info="/">
>         <action>
>             <result page="home"/>
>         </action>
>     </page>
> -->
> <page id="home" path-info="/nextgen/home/main"
> view="home/main/home-view.xsl"
> xforms="home/main/form.xml" model="/config/model.xpl">
> ......
> ================================================
> The directory structure is:
> nextgen/WEB-INF/resources/web.xml
> nextgen/WEB-INF/resources/nextgen/page-flow.xml
> nextgen/WEB-INF/resources/nextgen/home/main
>
> See the '<page id="start" path-info="/">'.  It seems
> that Tomcat applies security to '/' which is not
> secured because that caused problems with css and js
> files rather than the resulting 'home' page.
>
> John C.
>
> --- dsmall wrote:
>
> >
> > On Sun, 4 Sep 2005 22:01:02 +0100 (BST), "John Cobo"
> > <johnecobo> said:
> > > Thanks that fixed it.  
> > >
> > > The re-direct problem was related to the CSS
> > location.
> > >
> > > One question remains though.  My start page is set
> > to
> > > "/" as one might expect.  The page-flow directs
> > this
> > > to nextgen/home/main, but the security does not
> > > intercept this.  I don't see how I could move the
> > css
> > > files above  "/" in the file structure ?
> >
> > John,
> >
> > am jumping in as Alex is on vacation.  Could you
> > send me
> > your web.xml and page-flow.xml?
> >
> > -- Thanks, Dan S
> >
> >
> > >
> > > John C.
> > >  
> > > --- Alessandro Vernet <avernet> wrote:
> > >
> > > > On 9/2/05, John Cobo <johnecobo>
> > wrote:
> > > > > I am trying to limit access to an entire
> > > > application
> > > > > to logged in users.  I've followed the
> > > > > 'authentication' example the best I can, but
> > I'm
> > > > > getting odd results.
> > > > > (1) the CSS seem to not get applied sometimes,
> > and
> > > >
> > > > Hi John,
> > > >
> > > > This often happens when authentication is
> > required
> > > > to access the CSS.
> > > > So you should make sure to setup the paths in
> > your
> > > > web.xml so that the
> > > > CSS file can be accessed without being
> > authentified.
> > > >
> > > > > (2) the appln. does not seem to know where to
> > go
> > > > after
> > > > > entering the correct userid and password.
> > That is
> > > > on
> > > > > submitting the form with action
> > /j_security_check
> > > > I
> > > > > get something like a java script, CSS, or jpeg
> > > > file in
> > > > > the browser.  Login has worked because then
> > typing
> > > > in
> > > > > a secured URL is successful.
> > > >
> > > > Usually with Tomcat you go to a protected page
> > with
> > > > your browser,
> > > > Tomcat redirects you to the login page, and
> > after
> > > > you have
> > > > successfully logged in Tomcat brings you back to
> > the
> > > > page you were
> > > > trying to access in the first place, whatever
> > page
> > > > that was. Is the
> > > > system behaving differently for you?
> > > >
> > > > Alex
> > > >
> > > > >
> > > > --
> > > > You receive this message as a subscriber of the
> > > > ops-users mailing list.
> > > > To unsubscribe:
> > > > mailto:[hidden email]
> > > > For general help:
> > > > mailto:[hidden email]?subject=help
> > > > ObjectWeb mailing lists service home page:
> > > > http://www.objectweb.org/wws
> > > >
> > >
> > >
> > >
> > >
> > >
> >
> ___________________________________________________________
> >
> > > To help you stay safe and secure online, we've
> > developed the all new
> > > Yahoo! Security Centre.
> > http://uk.security.yahoo.com
> > >
> >
> > --
> > http://www.fastmail.fm - A fast, anti-spam email
> > service.
> >
> >
> > >
> > --
> > You receive this message as a subscriber of the
> > ops-users mailing list.
> > To unsubscribe:
> > mailto:[hidden email]
> > For general help:
> > mailto:[hidden email]?subject=help
> > ObjectWeb mailing lists service home page:
> > http://www.objectweb.org/wws
> >
>
>
>
>
> ___________________________________________________________
> How much free photo storage do you get? Store your holiday
> snaps for FREE with Yahoo! Photos http://uk.photos.yahoo.com
>

> Ok, thanks.  However I cannot seem to reproduce
> the problem.  What I tried was the following :
>
>
> PFC :
> <c:page
>   path-info='/' id="home"
> >
>   <c:action>
>     <c:result page='test' />
>   </c:action>
> </c:page>
>
> <c:page id='test' path-info='/content/test' xforms="test-form.xml"
> view='test-view.xml' >
>     <c:action when="/action = 'logout'" action="logout.xpl" >
>         <c:result page="home"  />
>     </c:action>
> </c:page>
>
> <c:page path-info="/login" xforms="login-form.xml"
> view="login-view.xsl"/>
>
> web.xml :
>
>     <security-constraint>
>         <web-resource-collection>
>             <web-resource-name>res1</web-resource-name>
>             <url-pattern>/content/*</url-pattern>
>         </web-resource-collection>
>         <auth-constraint>
>             <role-name>role1</role-name>
>         </auth-constraint>
>     </security-constraint>
>
>     <login-config>
>         <auth-method>FORM</auth-method>
>         <form-login-config>
>             <form-login-page>/login</form-login-page>
>         </form-login-config>
>     </login-config>
>
> Launch browser and try to access /content/test
> ( Got login page then /content/test )
>
> Launch browser and try to access /
> ( Got login page then /content/test )
>
> Launch browser and try to access /content/test, login,
> then try to access /
> ( Got login page, then /content/test, then
> /content/test again )
>
> Launch browser and try to access /content/test, login,
> , logout, then try to access /
> ( Got login page, then /content/test, then
> login page again, then /content/test )
>
> Note the second to last scenario, the one where I
> did not logout.  I was able to access /content/test
> via / without a login prompt.  Could this be
> what you're seeing?  That is are you testing access
> through '/' when you already have a valid session?
>
> -- Regards, Dan S
>
>
>
>
>
> On Fri, 9 Sep 2005 15:26:51 +0100 (BST), "John Cobo"
> <johnecobo> said:
> > OK, here is an extract from web.xml:
> > ============================================
> >     <security-constraint>
> >         <web-resource-collection>
> >
> > <web-resource-name>Nextgen</web-resource-name>
> >             <url-pattern>/nextgen/*</url-pattern>
> >         </web-resource-collection>
> >         <auth-constraint>
> >             <role-name>nextgen</role-name>
> >         </auth-constraint>
> >     </security-constraint>
> >     <login-config>
> >         <auth-method>FORM</auth-method>
> >         <form-login-config>
> >
> > <form-login-page>/nextgen/authentication/main/login</form-login-page>
> >
> >

> >         </form-login-config>
> >     </login-config>
> >     <security-role>
> >         <role-name>nextgen</role-name>
> >     </security-role>
> > ================================================
> > The important parts of page-flow.xml are:
> > ================================================
> > <!-- commented out for now because it bypasses Tomcat
> > security
> >     <page id="start" path-info="/">
> >         <action>
> >             <result page="home"/>
> >         </action>
> >     </page>
> > -->
> > <page id="home" path-info="/nextgen/home/main"
> > view="home/main/home-view.xsl"
> > xforms="home/main/form.xml" model="/config/model.xpl">
> > ......
> > ================================================
> > The directory structure is:
> > nextgen/WEB-INF/resources/web.xml
> > nextgen/WEB-INF/resources/nextgen/page-flow.xml
> > nextgen/WEB-INF/resources/nextgen/home/main
> >
> > See the '<page id="start" path-info="/">'.  It seems
> > that Tomcat applies security to '/' which is not
> > secured because that caused problems with css and js
> > files rather than the resulting 'home' page.
> >
> > John C.
> >
> > --- dsmall wrote:
> >
> > >
> > > On Sun, 4 Sep 2005 22:01:02 +0100 (BST), "John Cobo"
> > > <johnecobo> said:
> > > > Thanks that fixed it.
> > > >
> > > > The re-direct problem was related to the CSS
> > > location.
> > > >
> > > > One question remains though.  My start page is set
> > > to
> > > > "/" as one might expect.  The page-flow directs
> > > this
> > > > to nextgen/home/main, but the security does not
> > > > intercept this.  I don't see how I could move the
> > > css
> > > > files above  "/" in the file structure ?
> > >
> > > John,
> > >
> > > am jumping in as Alex is on vacation.  Could you
> > > send me
> > > your web.xml and page-flow.xml?
> > >
> > > -- Thanks, Dan S
> > >
> > >
> > > >
> > > > John C.
> > > >
> > > > --- Alessandro Vernet <avernet> wrote:
> > > >
> > > > > On 9/2/05, John Cobo <johnecobo>
> > > wrote:
> > > > > > I am trying to limit access to an entire
> > > > > application
> > > > > > to logged in users.  I've followed the
> > > > > > 'authentication' example the best I can, but
> > > I'm
> > > > > > getting odd results.
> > > > > > (1) the CSS seem to not get applied sometimes,
> > > and
> > > > >
> > > > > Hi John,
> > > > >
> > > > > This often happens when authentication is
> > > required
> > > > > to access the CSS.
> > > > > So you should make sure to setup the paths in
> > > your
> > > > > web.xml so that the
> > > > > CSS file can be accessed without being
> > > authentified.
> > > > >
> > > > > > (2) the appln. does not seem to know where to
> > > go
> > > > > after
> > > > > > entering the correct userid and password.
> > > That is
> > > > > on
> > > > > > submitting the form with action
> > > /j_security_check
> > > > > I
> > > > > > get something like a java script, CSS, or jpeg
> > > > > file in
> > > > > > the browser.  Login has worked because then
> > > typing
> > > > > in
> > > > > > a secured URL is successful.
> > > > >
> > > > > Usually with Tomcat you go to a protected page
> > > with
> > > > > your browser,
> > > > > Tomcat redirects you to the login page, and
> > > after
> > > > > you have
> > > > > successfully logged in Tomcat brings you back to
> > > the
> > > > > page you were
> > > > > trying to access in the first place, whatever
> > > page
> > > > > that was. Is the
> > > > > system behaving differently for you?
> > > > >
> > > > > Alex
> > > > >
> > > > > >
> > > > > --
> > > > > You receive this message as a subscriber of the
> > > > > ops-users mailing list.
> > > > > To unsubscribe:
> > > > > mailto:[hidden email]
> > > > > For general help:
> > > > > mailto:[hidden email]?subject=help
> > > > > ObjectWeb mailing lists service home page:
> > > > > http://www.objectweb.org/wws
> > > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > >
> > ___________________________________________________________
> > >
> > > > To help you stay safe and secure online, we've
> > > developed the all new
> > > > Yahoo! Security Centre.
> > > http://uk.security.yahoo.com
> > > >
> > >
> > > --
> > > http://www.fastmail.fm - A fast, anti-spam email
> > > service.
> > >
> > >
> > > >
> > > --
> > > You receive this message as a subscriber of the
> > > ops-users mailing list.
> > > To unsubscribe:
> > > mailto:[hidden email]
> > > For general help:
> > > mailto:[hidden email]?subject=help
> > > ObjectWeb mailing lists service home page:
> > > http://www.objectweb.org/wws
> > >
> >
> >
> >
> >
> > ___________________________________________________________
> > How much free photo storage do you get? Store your holiday
> > snaps for FREE with Yahoo! Photos http://uk.photos.yahoo.com
> >
>
> --
> http://www.fastmail.fm - Access your email from home and the web
>
>
>

> Hi,
>     My security constraint looks like this..
>
> <web-resource-collection>
>       <web-resource-name>secure</web-resource-name>
>       <url-pattern>/</url-pattern>
> </web-resource-collection>
>
> Notice that I don't use a /*. I believe Tomcat doesn't need it.. Maybe this
> might make a difference.