Hi... I have some jsp application in tomcat 4.1.18. I'm try to restrict only for some roles. How can I define a Security Constraint for an Application in the web.xml file. Is necesary to put some code in /conf/server.xml too? Could somebody post an example... :roll:
Thanks... I check it? It's that i looking for.... but... Why the jsp example send me error 404 when I login, the go back and login with wrong password?. I need to initializing the session again? How can I fix?
If you note that the form elements are named j_username and j_password, and also the action is j_security_check.
The action must be j_security_check, so that the container knows "that means forward this request to my internal authorization code, which expects something called j_username and j_password". You can customize login.jsp any other way, but that action and those form field names MUST be used if you want container-managed security to work.
One of the things that the container probably does as an efficiency test, is checks first if the user making the request is ALREADY logged in. Why authenticate when they've already been authenticated?
Because you just click "back", you are not logged out, so your session continues to be valid. When the container receives your second request (one with a bad password), it sees you are already logged in, and it will "pass off" the request to the web application that is being protected. *THAT* application does not have a resource mapped to j_security_check, and so you get the 404
the solution is to logout with the link provided on index.jsp (the page you see after a successful login).
Joined: Sep 12, 2002
Thanks for your help. Your explanation helps me to understand. But, How can I prevent to the users do not use the button "back". Or is better to use another method to autenticate?...