File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
The moose likes Tomcat and the fly likes j_security_check and apache httpd ProxyPass Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Products » Tomcat
Bookmark "j_security_check and apache httpd ProxyPass" Watch "j_security_check and apache httpd ProxyPass" New topic

j_security_check and apache httpd ProxyPass

Antal Bos

Joined: Feb 21, 2011
Posts: 3
Hi all,

When i go to this URL of my site:
My Apache httpd proxy passes this to my local machine http://localhost:8080/appname/admin/page.jsp
I get a login page that is located here: http://localhost:8080/appname/login/login.jsp
This page is configured in the web.xml in the element <login-config>
And this login page uses the j_security_check of Tomcat.
So far so good.....

When i login, i'm getting back this URL:
But this is not correct and should be:
Anyone know how i can solve this.

For now i just pass that new URL:
to this: http://localhost:8080/appname/login/login.jsp
This last is working fine, but that new URL is not what i like very much.

Best regards,
Tim Holloway
Saloon Keeper

Joined: Jun 25, 2001
Posts: 17417

Welcome to the JavaRanch, Antal!

J2EE container security doesn't work quite like that, and neither do Tomcat URLs. In Tomcat, the "application" part of the URL is properly known as the application context. Since a Tomcat server can host multiple applications, that part of the URL tells Tomcat which application to route requests to.

The only way to avoid having the "application" in the URL, is to deploy the webapp under the Root context, which has the "application" of "/". However, that would be a separate application from an application deployed under a context such as "myappname", and since 2 applications cannot communicate directly, having a login page under the root context wouldn't help the "myappname" context.

That's part of your problem.

The other part is your login page. In J2EE, you cannot route to the login and loginfail pages directly. Those pages are not processed in the usual way by the webapp, so attempting to specify "j_security_check" on a user-submitted page will fail.

What actually happens is that if Tomcat sees a request for a secured URL, it will sideline that request, look in the web.xml for the login page location, and send back the login page to the user. The user then submits the form on that page and Tomcat itself (NOT the application) processes the j_security_check. The application never actually sees the login happen.

If you want some really down-and-dirty details on how the whole process works, look back in this forum to about the middle of last week and you'll find a thread where I outlined the process more completely.

An IDE is no substitute for an Intelligent Developer.
Antal Bos

Joined: Feb 21, 2011
Posts: 3
Hi Tim,

A very clear explanation.
As i read your text about that application-context-name, it sounds pretty logic with that multi-hosted tomcat application (what i also was intended to do).

I never directly link to those login/error_login pages.
In the web.xml i have indeed only that <security-constraint> element that point to my admin-folder and uses those login-pages.
Also I didn't know that only tomcat (not the application) handles that request. Learned something there, but sounds also logic!

This is what i was thinking about now:
Is it not in someway possible to change the URL from my apache httpd proxy config-file.
I read some information about URL rewriting, but not sure if that is going to work.

Is this last the right way of working or is it then even better to use a framework like Apache Shiro?

Thanks in advance.
Tim Holloway
Saloon Keeper

Joined: Jun 25, 2001
Posts: 17417

I'm not totally sure I understood that, but the actual URL for the login form is the property of Tomcat and isn't something you are entitled to change.

If you're using a proxy URL, the translated URL does have to retain the context ID of the webapp just like normal webapp URLs do. You cannot have a different context for the login than for the application.

While it's possible you may be able to finagle something, solutions like that have a bad habit of breaking down at the most inconvenient time (Murphy's Law), so I don't recommend trying to out-clever it.
Antal Bos

Joined: Feb 21, 2011
Posts: 3
Hi Tim,

The solution is even simpler then i thought!
When i go to my page
After login i get to this page:
This page is indeed not there (because the URL has that appname), but now i just created a page on that location with this content:
String redirectURL = "";

This gets me back what i want.
Let me know if this is a also a bad habit or a nice easy solution?

Thanks for your replies and your help. It brought me further to a nice web-application!
I agree. Here's the link:
subject: j_security_check and apache httpd ProxyPass
jQuery in Action, 3rd edition