This week's giveaway is in the Android forum.
We're giving away four copies of Android Security Essentials Live Lessons and have Godfrey Nolan on-line!
See this thread for details.
The moose likes Web Component Certification (SCWCD/OCPJWCD) and the fly likes Security Form login problem Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Android Security Essentials Live Lessons this week in the Android forum!
JavaRanch » Java Forums » Certification » Web Component Certification (SCWCD/OCPJWCD)
Bookmark "Security Form login problem" Watch "Security Form login problem" New topic
Author

Security Form login problem

Marco Fung
Greenhorn

Joined: Jul 25, 2005
Posts: 7
Hi, I have a problem when using a FORM authentication method in my web app.

my DD is as follow:

<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/loginPage.html</form-login-page>
<form-error-page>/loginError.html</form-error-page>
</form-login-config>
</login-config>

I have no problem to trigger the loginPage.html, when I try to accessed a authentication required servlet that uses a doPost() method without doGet().

When I typed in a invalid username/password pair, it go to loginError.html page.

However, when I typed in a valid username/password pair, I will be forward to a error page

--> HTTP 405 : HTTP method GET is not supported by this URL

But when i use the same browser and try to access the same servlet again, it went through with no problem and generate the expected output.

Can anyone please tell me what happen? I use Tomcat 5.0.28
Arul Prasad
Ranch Hand

Joined: Jan 20, 2005
Posts: 57
i am not much clear on ur question can us paste ur servlet code ..?

and i need to know whether u set the page transition for the sucess case i.e user enter the loginid/pass as a correct one ..?


With Regards<br />Arul
Sergey Tyulkin
Ranch Hand

Joined: May 10, 2005
Posts: 87
Is your <form> element (in HTML or JSP) has method attribute with "POST" value?
Marco Fung
Greenhorn

Joined: Jul 25, 2005
Posts: 7
This is the servlet code:

package com.example.web;

import com.example.model.*;
import javax.servlet.*;
import javax.servlet.http.*;
import java.io.*;
import java.util.*;

public class BeerSelect extends HttpServlet{

public void doPost(HttpServletRequest req, HttpServletResponse res)
throws IOException, ServletException{

res.setContentType("text/html");
PrintWriter out = res.getWriter();

out.println("Beer Selection Advice<br>");
String c = req.getParameter("COLOR");

BeerExpert be = new BeerExpert();
List result = be.getBrands(c);

req.setAttribute("styles", result);

RequestDispatcher view = req.getRequestDispatcher("result.jsp");
view.forward(req, res);

}
}

And this is my DD:

<web-app xmlns="http://java.sun.com/xml/ns/j2ee"
xmlns:xsl="http://www.w3.org/2001/XMLSchema-instance"
xsl:schemaLocation="http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd"
version="2.4">

<security-constraint>
<web-resource-collection>
<url-pattern>/SelectBeer.do</url-pattern>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>member</role-name>
<role-name>admin</role-name>
</auth-constraint>
</security-constraint>

<security-role>
<role-name>member</role-name>
<role-name>guest</role-name>
</security-role>

<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/loginPage.html</form-login-page>
<form-error-page>/loginError.html</form-error-page>
</form-login-config>
</login-config>

<error-page>
<exception-type>java.lang.Throwable</exception-type>
<location>/errorPage.jsp</location>
</error-page>

<servlet>
<servlet-name>Ch3 Beer</servlet-name>
<servlet-class>com.example.web.BeerSelect</servlet-class>
</servlet>

<servlet-mapping>
<servlet-name>Ch3 Beer</servlet-name>
<url-pattern>/SelectBeer.do</url-pattern>
</servlet-mapping>

<context-param>
<param-name>mainEmail</param-name>
<param-value>main@abc.com</param-value>
</context-param>
</web-app>

And this is my loginPage.html:

<html><body>
Please login:

<form method="POST" action="j_security_check">
<input type="text" name="j_username">
<input type="password" name="j_password">
<input type="submit" value="Enter">
</form>

</body></html>
Paolo Metafune
Ranch Hand

Joined: Aug 22, 2005
Posts: 34
The problem isn't you but Tomcat5.
It incorrectly handles the combination between form based authentication and post method. So when you correctly type in your user and password it authenticate correctly but then generates a GET request instead of the POST request. Because the doGet is not implemented you receive an error. if you implement the doGet() it should work fine. Or change the authentication mode (to BASIC) and restart Tomcat

Bye.
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: Security Form login problem
 
Similar Threads
login authentication
FORM auth-method problem
Doubt on authentication
[Q][Web Security][Login Form doesn't display]
Help me to update web.xml STARTS WITH /(forward slash)