Web.xml: security-constraint [un]usable in JSF?

Similar Messages

• Web.xml - security constraint question

  I want to make a kind of inverted security constraint. I want to ALLOW access to one specific page over HTTP. All other pages should be HTTPS.
  Is that possible???

  Use the <security-role-ref> for the Faces Servlet to map the LDAP roles to the logical role names used by the managed bean to determine if links may be rendered.
  Bean code:
  this.isAdmin = context.getExternalContext().isUserInRole("admin");web.xml:
          <security-role>
            <role-name>Local Admin Group</role-name>
       </security-role>
       <security-role>
            <role-name>DBA Group</role-name>
       </security-role>
      <!-- Faces Servlet -->
      <servlet>
          <servlet-name>Faces Servlet</servlet-name>
          <servlet-class>javax.faces.webapp.FacesServlet</servlet-class>
          <security-role-ref>
                <role-name>admin</role-name>
                <role-link>DBA Group</role-link>
         </security-role-ref>
          <security-role-ref>
                <role-name>admin</role-name>
                <role-link>Local Admin Group</role-link>
         </security-role-ref>
      </servlet>

• Web.xml security-constraint order matters?

  After a long and frustrating debuggin session I've just discovered that the order in which <security-constraint>
  entries are added to the web.xml file matters to OC4J.
  That is if a more laxed rule is matched first the rest
  (even though they might be more precise or even an
  exact match won't be applied.
  Is this normal behaviour?
  EXAMPLE BELOW WORKS - INVERT ENTRIES AND IT WILL FAIL
  <security-constraint>
      <web-resource-collection>
        <web-resource-name>Protected</web-resource-name>
        <url-pattern>/admin*.uix</url-pattern>
      </web-resource-collection>
      <auth-constraint>
        <role-name>DSMSuperUser</role-name>
      </auth-constraint>
    </security-constraint>
    <security-constraint>
      <web-resource-collection>
        <web-resource-name>Secure</web-resource-name>
        <url-pattern>/*</url-pattern>
      </web-resource-collection>
      <auth-constraint>
        <role-name>DSMUser</role-name>
      </auth-constraint>
    </security-constraint>

  Here is an excerpt from the servlet spec stating the proper behavior:
  The container matches URL patterns defined in security constraints
  using the same algorithm described in this specification for matching client
  requests to servlets and static resources as described in SRV.11.1
  SRV.11.1 Use of URL Paths
  Upon receipt of a client request, the web container determines the web application
  to which to forward it. The web application selected must have the the longest
  context path that matches the start of the request URL. The matched part of the URL
  is the context path when mapping to servlets.
  The web container next must locate the servlet to process the request using the
  path mapping procedure described below:
  The path used for mapping to a servlet is the request URL from the request
  object minus the context path. The URL path mapping rules below are used in
  order. The first successful match is used with no further matches attempted:
  1. The container will try to find an exact match of the path of the request to the
  path of the servlet. A successful match selects the servlet.
  2. The container will recursively try to match the longest path-prefix: This is done
  by stepping down the path tree a directory at a time, using the ’/’ character as
  a path separator. The longest match determines the servlet selected.
  3. If the last segment in the URL path contains an extension (e.g. .jsp), the servlet
  container will try to match a servlet that handles requests for the extension.
  An extension is defined as the part of the last segment after the last ’.’ character.
  4. If neither of the previous three rules result in a servlet match, the container will
  attempt to serve content appropriate for the resource requested. If a "default"
  servlet is defined for the application, it will be used.
  The container must use case-sensitive string comparisons for matching.
  So this is STILL an issue w/ 10.1.2.0.2...
  EXAMPLE BELOW WORKS - INVERT ENTRIES AND IT WILL FAIL
  <security-constraint>
  <web-resource-collection>
  <web-resource-name>oemAdmin</web-resource-name>
  <url-pattern>/admin/*</url-pattern>
  </web-resource-collection>
  <auth-constraint>
  <role-name>OEM_ADMIN</role-name>
  </auth-constraint>
  <user-data-constraint>
  <transport-guarantee>NONE</transport-guarantee>
  </user-data-constraint>
  </security-constraint>
  <security-constraint>
  <web-resource-collection>
  <web-resource-name>allOem</web-resource-name>
  <url-pattern>/*</url-pattern>
  </web-resource-collection>
  <auth-constraint>
  <role-name>OEM_USER</role-name>
  </auth-constraint>
  <user-data-constraint>
  <transport-guarantee>NONE</transport-guarantee>
  </user-data-constraint>
  </security-constraint>
  If I don't find a SR for this issue I'll open one b/c this is not acceptable.

• Web.xml security-constraint

  Hi,
  Anybody has any idea about this one:
  In web.xml I have:
       <security-constraint>
            <web-resource-collection>
                 <web-resource-name>members</web-resource-name>
                 <url-pattern>/members/*</url-pattern>
            </web-resource-collection>
            <auth-constraint>
                 <role-name>REGISTERED_USERS</role-name>
            </auth-constraint>
            <user-data-constraint>
                 <description>SSL is required</description>
                 <transport-guarantee>CONFIDENTIAL</transport-guarantee>
            </user-data-constraint>
       </security-constraint>
       <security-constraint>
  when using the above one, every time when i click any link in /members, the weblogic
  first treat the user as guest at the beginning, then change to the real logined
  user.
  After I changed it to :
       <security-constraint>
            <web-resource-collection>
                 <web-resource-name>members</web-resource-name>
                 <url-pattern>/members/</url-pattern>
            </web-resource-collection>
            <auth-constraint>
                 <role-name>REGISTERED_USERS</role-name>
            </auth-constraint>
            <user-data-constraint>
                 <description>SSL is required</description>
                 <transport-guarantee>CONFIDENTIAL</transport-guarantee>
            </user-data-constraint>
       </security-constraint>
       <security-constraint>
  i click the links in /members, the weblogic treat the user as the real logined
  user.
  Any idea what is the * 's meaning or any clue where this difference is mentioned
  in weblogic or SUN's documentation?
  BTW: I am using weblogic 5.1 with sp11.
  Thx,
  dliu

  Hi,
  Please provide a "WEB-INF/weblogic.xml" file as well like following:
  *"weblogic.xml"*
  <?xml version='1.0' encoding='UTF-8'?>
  <weblogic-web-app xmlns="http://www.bea.com/ns/weblogic/90" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
  <security-role-assignment>
  <role-name>BMOUser</role-name>
  <principal-name>BMOUser</principal-name>
  </security-role-assignment>
  </weblogic-web-app>
  Thanks
  Jay SenSharma
  http://weblogic-wonders.com (WebLogic Wonders Are here)

• Help! web.xml security without using WAR files

  I'm currently using the RDBMSRealm and URL ACL security for my app. I would like to use the web.xml descriptor for security so that I can specify login pages and such. We currently are not using WAR files. I've been having alot of trouble setting this up. Is there a way to use the RDBMS realm along with the web.xml security? It looks like it should work, but I can't seem to get it to function. How do I specify the regular document root as a webapp? I'm currently running WLS 5.1 with SP4. Thanks.

  The RDBMSRealm is just the authentication mechanism underneath WLS versus the
  web.xml of the WebApplication which describes all the access control for that WebApp.
  the later being scoped only to that WebApp.
  you don't need to deploy in a war file, you can expand the archive into an identical
  directory structure and then just point us towards the top level of that structure.
  see: http://www.weblogic.com/docs51/classdocs/webappguide.html
  .paul
  chris wrote:
  I'm currently using the RDBMSRealm and URL ACL security for my app. I would like to use the web.xml descriptor for security so that I can specify login pages and such. We currently are not using WAR files. I've been having alot of trouble setting this up. Is there a way to use the RDBMS realm along with the web.xml security? It looks like it should work, but I can't seem to get it to function. How do I specify the regular document root as a webapp? I'm currently running WLS 5.1 with SP4. Thanks.

• Web.xml security configuration (struts)

  Hi all
  i want to restrict the access for the following URL:
  http://localhost:8080/InventoryManager/Usermanagement/addUser.do?methodToCall=addInvUser
  But if i define it like that in web.xml it doesn't work:
  <security-constraint>
  <display-name>User</display-name>
  <web-resource-collection>
  <web-resource-name>user creation</web-resource-name>
  <url-pattern>/Usermanagement/addUser.do?methodToCall=addInvUser*</url-pattern>
  </web-resource-collection>
  <auth-constraint>
  <role-name>create_user</role-name>
  </auth-constraint>
  </security-constraint>
  All other restrictions i created to far are working, but mostly this is restricted for a URL and not a struts action like above.
  Could somebody tell me how i can restrict the access to the method addInvUser or the action mapping addUser.do ?
  Thanks
  Angela

  Perhaps it's not possible (to use HTTP params) as a restricted URL.
  But you can always chek user role programmatically.
  best regards,
  Maris Orbidans
  SCJP SCWCD SCBCD

• Web.xml security

  Let�s say that I have 2 main groups, group USER and group ADMIN.
  Now let�s say that I have 3 other groups, groups A, B, and C.
  The structure in OCS would look something like this.
  group USER has members group A, group B, group C and group ADMIN
  group ADMIN has members that are just users, no groups
  From our application to perform a isUserInRole(group B) would group B have to appear in the web.xml file or should I only have to have group USER in the web.xml file?

  Hi,
  the web.xml file contains all groups that you reference in URL constraints in teh web.xml or call via isUserInRole(). Note that you also can use different names in isUserInRole() but then you need to use the role-ref element to map it to a role that exists in web.xml.
  Note that J2EE doesn't support RBAC in the web.xml, which means that there is no role that is a member of a role. OC4J supports this from the security provider site, but still this isn't the case for J2EE itself.
  Frank

• Without restart/reload - web.xmlupdate security constraints, is it possible

  Is there a way to make use of the 9ias/j2ee security framework, where add/modify security constrains; change roles and url-patterns etc, in web.xml without having to restart/reload the webapp. Doesn�t Restart/reload remove existing user sessions from the container?.
  Any thoughts or code pointers would be appreciated.
  -Mohammad Abed

  Handlers are java-classes so I would say yes.
  Classes (including BC4J View and Entity objects) must
  be recompiled and your server should be restarted.
  Anything XML-related (including UIX) does not immediately
  force you to restart OC4J, although the MVC Framework
  descriptor-xml should be reloaded by for instance re-
  entering the service you changed. This is where those
  home-page services become handy.
  Note that setting existing BC4J-attributes to (in)visible
  or wider/smaller mostly just changes the BC4J Jheadstart
  metadata and generates new UIX, so it doesn't change
  anything in the java-classes.

• Web.xml Security LoginPage / LoginTF does not work

  Hi Guys,
  In JDev 11.1.1.5, using the WebCenter extension we get some strange behaviour I cannot explain.
  I have a feeling I am missing some small step, but I cannot see what step, so I thought to ask :).
  Here are the steps we took:
  We use:
  -     JDeveloper 11.1.1.5
  -     WebCenter extension
  Steps we took, within an WebCenter Portal application:
  1.     Create an index.html which is the default start point of the application.
  2.     index.html redirects to faces/pages_home.
  3.     In pages.xml our home is an landingPage.
  4.     This landingPage is configured for authenticated-role only in pages.xml.
  5.     Configure a custom login-TF with .jspx loginPage on it.
  6.     In the web.xml on the security tab, we configure Form-Based Authentication with our custom login-TF as Login Page.
  7.     In the jazn-data.xml we configure this TF and grant the anonymous-role.
  8.     Run the application, we get an 404.
  I would expect the following:
  1. Application tries to reach the home page.
  2. The home page is only available for authenticated users.
  3. The login mechanism (from the web.xml) starts to work.
  4. The TF/page configured in the web.xml gets launched.
  Some how, as said we get a 404 instead of our loginTF/Page.
  In an Jdevelloper 11.1.1.2 application, this seems to work fine with the same configuration, but now in 11.1.1.5 we get a 404 error.
  Did we miss a configuration / Overlook some setting?
  Why does this not work?
  If anybody has any tips on where to look or what to do, this would be helpful :)
  I have a test case in which I can reproduce this problem, both within an WCP application as in a pure ADF application.
  I can provide this if anyone is interested :)
  Regards,
  Richard Olrichs

  Hmmm, apparently you have to put “/faces/adf.task-flow?adf.tfId=login-TF&amp;adf.tfDoc=/” in front of the TF, which results in the following web.xml tag:
  <login-config>
  <auth-method>FORM</auth-method>
  <form-login-config>
  <form-login-page>/faces/adf.task-flow?adf.tfId=login-TF&amp;adf.tfDoc=/WEB-INF/login-TF.xml</form-login-page>
  <form-error-page>/WEB-INF/error.html</form-error-page>
  </form-login-config>
  </login-config>
  I don't know why, but now it redirects correctly to our custom login-TF.
  Can someone explain this behaviour?
  Anyhow, help is not needed anymore :P
  Cheers,
  Richard
  Edited by: Richard Olrichs on Feb 21, 2012 8:41 AM

• Security constaint in Oracle 10.1.2 - Web.xml

  hi,
  I can access my URL in both http and https .
  1) http://myURL.com
  2) https://myURL.com:4444
  But I want this logic to be contained in Web.xml where in only for some resource , I need to use https. I put the following in Web.xml ...But it is not working . As soons as i hit welcome.jsp , IE is trying to download the page to my Harddrive.( ???) .
  following is code in web.xml
  ========
  <security-constraint>
  <web-resource-collection>
  <web-resource-name>
  test
  </web-resource-name>
  <url-pattern>/Welcome.jsp</url-pattern>
  </web-resource-collection>
  <user-data-constraint>
  <transport-guarantee>CONFIDENTIAL</transport-guarantee>
  </user-data-constraint>
  </security-constraint>
  ====
  what is wrong with this code ?
  PLUS I cannot access the site as https://myURL.com with out port number . I always have to append 4444 . Is there any way to autmatically add the port .
  Thanks
  Message was edited by:
  user526264

  Hi,
  <transport-guarantee>CONFIDENTIAL</transport-guarantee>
  doesn't redirect to SSL but shows an http error if access is not with SSL
  Frank

• Setting security constraint for web App

  Hai all!
  I am new to bea and i am trying to set up security constraints for my webaplication..
  I want user to be authenticated before he access any of the pages in browser..
  All i did was adding following entries to web.xml
  <security-constraint>
            <web-resource-collection>
                 <web-resource-name>
                      webresources
                 </web-resource-name>
                 <url-pattern>
                 </url-pattern>
            </web-resource-collection>           
            <login-config>          
                 <auth-method>
                 BASIC
                 </auth-method>          
            </login-config>
       </security-constraint>
  But no such thing is happening,,
  I know i am doing wrong but donno where exactly i am wrong..
  Pls guide me in sequnece of steps regarding what to do to accomplish what i want..
  Thanks and Regards
  Manohar

  I guess you need to set the role that is allowed to log into your application.
  try this in web.xml:
       <security-constraint>
            <display-name>Whatever</display-name>
            <web-resource-collection>
                 <web-resource-name>resource</web-resource-name>
                 <description>Desc</description>
                 <url-pattern>/*</url-pattern>
                 <http-method>GET</http-method>
                 <http-method>POST</http-method>
            </web-resource-collection>
            <auth-constraint>
                 <description>desc</description>
                 <role-name>MyRole</role-name>
            </auth-constraint>
                 <user-data-constraint>
                 <transport-guarantee>NONE</transport-guarantee>
            </user-data-constraint>
       </security-constraint>
       <login-config>
            <auth-method>BASIC</auth-method>
       </login-config>
       <security-role>
            <description>desc</description>
            <role-name>MyRole</role-name>
       </security-role>
  and map the role with a group/user in weblogic.xml:
       <security-role-assignment>
            <role-name>MyRole</role-name>
            <principal-name>MyGroupOfUsers</principal-name>
       </security-role-assignment>
  Hope this helps.
  Xavi
  "Manohar" <[email protected]> wrote:
  >
  Hai all!
  I am new to bea and i am trying to set up security constraints for my
  webaplication..
  I want user to be authenticated before he access any of the pages in
  browser..
  All i did was adding following entries to web.xml
  <security-constraint>
            <web-resource-collection>
                 <web-resource-name>
                      webresources
                 </web-resource-name>
                 <url-pattern>
                 </url-pattern>
            </web-resource-collection>           
            <login-config>          
                 <auth-method>
                 BASIC
                 </auth-method>          
            </login-config>
       </security-constraint>
  But no such thing is happening,,
  I know i am doing wrong but donno where exactly i am wrong..
  Pls guide me in sequnece of steps regarding what to do to accomplish
  what i want..
  Thanks and Regards
  Manohar

• Web.xml, struts and ssl

  Hi there,
  on our projects web pages we use struts, to combine the html of our pages with the java code behind. To enable SSL I added a security constraint to the web.xml:
       <security-constraint>
            <display-name>SSL Constraint</display-name>
            <web-resource-collection>
                 <web-resource-name>secured login resource</web-resource-name>
                 <description></description>
                 <url-pattern>/index.html</url-pattern>
                 <url-pattern>*.do</url-pattern>
                 <http-method>GET</http-method>
                 <http-method>PUT</http-method>
                 <http-method>POST</http-method>
            </web-resource-collection>
            <auth-constraint>
                 <description></description>
                 <role-name>authenticatedUser</role-name>
            </auth-constraint>
            <user-data-constraint>
                 <transport-guarantee>CONFIDENTIAL</transport-guarantee>
            </user-data-constraint>
       </security-constraint> Some of our web pages need to use no SSL. So I added (for first testing) a second security constraint to the web.xml and defined which pages should be without SSL:
       <security-constraint>
            <display-name>No-SSL Constraint</display-name>
            <web-resource-collection>
                 <web-resource-name>businesstransaction resource</web-resource-name>
                 <description></description>
                 <url-pattern>*.go</url-pattern>
                 <http-method>GET</http-method>
                 <http-method>PUT</http-method>
                 <http-method>POST</http-method>
            </web-resource-collection>
            <auth-constraint>
                 <description></description>
                 <role-name>authenticatedUser</role-name>
            </auth-constraint>
            <user-data-constraint>
                 <transport-guarantee>NONE</transport-guarantee>
            </user-data-constraint>
       </security-constraint>As you can see, I exchanged *.do with *.go for testing. I simply defined all actions I want to be used without SSL with a .go instead of a .do in the struts.config.
  In principle it works, but there is a problem: The default behaviour for struts seems to be that the name of the new action is posted in the url at the end of the standard starting url.
  Our url starts with https://localhost:9443/client-web/, and whatever action I start, this url text in the browser window never changes, regardless of wether the next action would be protected or not.
  First I thought my url pattern would be wrong, or the user or whatever. But then I found out, that when changing the url in the browser window by hand to http://localhost:9080/client-web/ it works. The web page then is without SSL active. And when I manually change the url while viewing a page that is meant to be SSL protected, the browser automatically changes to the SSL adress.
  But then again, moving to a page without SSL does not enforce the browser to change its adress to the no SSL String. So again, SSL is active though a non secure access would be allowed.
  Anybody has any idea how to change this default behaviour? It would be important to not only tell the server that non secure would be ok, but to actually USE non secure connection automatically.
  The internet explorer is not able to upload files in SSL mode (though any other browser is able to), and our customer insists on using IE. And to tell the users "oh, just edit the line there in the window manually and reload the page will help ... or use Firefox" will not be a suitable solution.
  Regards, Rommie.

  There is a plugin called sslext which will do most of what you need.
  http://sslext.sourceforge.net/
  I think the last time I used it I made some changes to the plugin source so that I could force non-ssl to be the default behavour unless SSL was explictily stated in struts.config, but can't remember for sure. Bottom line is it will do most of what you need and can probably be modified to do the rest without too much trouble.

• Weblogic 10 jaas and login.jsp and web.xml/weblogic.xml security constaints

  Hello,
  I struggled through and got the examples.security.jaas.SampleCallbackHandler.java and examples.common.utils.ExampleUtils.java/ExampleConstants.java into eclipse where they compile. A bean I made can call SambleCallbackHandler like such:
  mybean.logmein(username,password,url). I can then do a mybean.getStatus() or even a mybean.returnCode(). It does seem to correctly identlify that it is authenticating me (I see in stdout logs that it shows success or failures. The problem I have is I do not know how to apply this weblogic and web.xml/weblogic.xml so that if authentication works it redirects me to the page requiring the authentication. In web.xml I have the following set up:
  <security-role>
       <role-name>Admins</role-name>
  </security-role>
  <login-config>
       <auth-method>FORM</auth-method>
       <realm-name>default</realm-name>
       <form-login-config>
            <form-login-page>/login.jsp</form-login-page>
            <form-error-page>/badlogin.html</form-error-page>
       </form-login-config>
  </login-config>
  <security-constraint>
       <web-resource-collection>
            <web-resource-name>empower</web-resource-name>
            <description>These pages are only accessible by authorized users.</description>
            <url-pattern>/admin/*</url-pattern>
            <http-method>GET</http-method>
            <http-method>POST</http-method>
       </web-resource-collection>
  <auth-constraint>
  <description>These are the roles who have access</description>
  <role-name>Administrators</role-name>
  </auth-constraint>
       <user-data-constraint>
       <description>This is how the user data must be transmitted</description>
       <transport-guarantee>NONE</transport-guarantee>
       </user-data-constraint>
  </security-constraint>
  My weblogic.xml has:
  <?xml version="1.0" encoding="UTF-8"?>
  <wls:weblogic-web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:wls="http://www.bea.com/ns/weblogic/90" xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd http://www.bea.com/ns/weblogic/90 http://www.bea.com/ns/weblogic/90/weblogic-web-app.xsd">
  <wls:security-role-assignment>
  <wls:role-name>Admins</wls:role-name>
  <wls:principal-name>Administrators</wls:principal-name>
  <wls:principal-name>dashap</wls:principal-name>
  </wls:security-role-assignment>
  </wls:weblogic-web-app>
  With this set up, if I try to go to a page in /admin folder in my application, it correctly pops up the login page. The jaas in the bean is doing a loginContext.login(), which I thought does authentication too, but it never goes back to the /admin page I was going to that needed the authentication. With jaas, can I not use the web.xml FORM security option? Do I Need to use j_security in the login.jsp's form's action= option and j_username and j_password for the input type names? How do I use j_username/j_password things if I am using jaas? I could just ignore using the web.xml security stuff and put something in the pages that need authentication, but it would be easier if I could use jaas with the security featurs without doing all that. Note that my code above is using a realm called default just because that was what was in the example I got from the web. Does that need to be something else?

  Hi John,
  I would like magic of course. However, in this case I want something special: my authentication provider uses special means and contents of headers, cookies and service from external identity management systems to determine the user's identity.
  I do not want the application to present the login dialog! I want to derive the identity and the fact that the user is logged in from whatever the authentication provider returns in terms of Subject.
  Ideally, the flow is something like:
  - user accesses an unprotected resource - resource is shown, no interaction with authentication provider
  - user presses a link or button that takes him/her to a protected resource
  - the authentication provider is contacted to work with the identity asserter to establish the identity of the current user and create a subject object for this user
  - the application can access the subject and principals
  - ADF Security recognizes the identity and the roles (based on the principals) and coordinates access based on this.
  the authentication method is client certificate. presumably this prompts WebLogic/OPS to use an identity asserter to work with custom headers and cookies ("... when you configure a web application to use CLIENT-CERT authentication. In this case, WebLogic can perform identity assertion based on values from request headers and cookies. If the header name or cookie name matches the active token type for the provider, the value is passed to the provider."). No login form should be presented to the user, as all information required to perform the authentication is already available.
  I am trying to understand what I must do to have the ADF application adopt the subject set by the authentication provider - if anything?!
  If you more ideas to share - I would love to hear them.
  best regards,
  Lucas

• J_security_check and web.xml

  Hi,
  I've set up a web application with form authentication
  Here's part of my web.xml:
  <security-role>
     <description>user</description>
     <role-name>user</role-name>
  </security-role>
    <!-- Login Authentication -->
    <security-constraint>
      <display-name>Secure User Pages</display-name>
      <web-resource-collection>
        <web-resource-name>SecureUserPages</web-resource-name>
        <url-pattern>/jsp/welcome.jsp</url-pattern>
      </web-resource-collection>
      <auth-constraint>
           <description>user</description>
           <role-name>user</role-name>
      </auth-constraint>
    </security-constraint>
    <login-config>
      <auth-method>FORM</auth-method>
      <form-login-config>
        <form-login-page>/jsp/login.jsp</form-login-page>
        <form-error-page>/jsp/loginError.jsp</form-error-page>
      </form-login-config>
    </login-config>When I request welcome.jsp, I'm taken to login.jsp.
  If I enter an incorrect login/password combo, the contents of loginError.jsp show up, but the url says http://hostname:port/appname/jsp/j_security_check
  How can I make it so that the url does not show 'j_security_check', but 'loginError.jsp'?
  Second, if I enter a correct login/password combo, I am not taken to the page I requested - I stay on the login page, but the information in the form fields gets wiped out. According to my logs, it says that I logged in correctly.
  Can someone shed some light on these one or both of these issues?
  Thanks in advance,
  C

  To answer you,
  1. j_security_check servlet forwards the request to loginError.jsp on login failure. Hence you don't see any change in URL at the address bar. Use redirect at your application level to see the change in URL at the address bar.
  If you want to attain some more flexibility at the login level, probably JAAS can help you out.
  2. _"Second, if I enter a correct login/password combo, I am not taken to the page I requested - I stay on the login page, but the information in the form fields gets wiped out. According to my logs, it says that I logged in correctly"_
  If you're really sure about correctness of your log, i think, you have directly invoked login.jsp from your browser and then you must have entered a valid username/password.May be this is the reason you get to see login.jsp again on successful login.
  Solution, would be to directly invoke welcome.jsp from browser.Provide valid username and password and then see whether you really get to see welcome.jsp or not?

• Question on web.xml and login

  Hi all
  I am doing a web-based project, registered user need to log in before they view the member area pages.
  I have created a directory, called "client", in the Tomcat 4.1.24/webapps/ROOT/client I have put a index.html in the client directory. This index.html only can be viewed by the client after log in.
  For the best of my knowledge in Tomcat, in order to do this, I have created a web.xml in Tomcat_home/webaggs/ROOT/WEB-INF/web.xml, in the url-pattern section, I put /client/* to tell the tomcat server that index.html in client directory is the first page after user login.
  The problem is, I couldnt see the member welcome page after I login as a member, the browser gave me the error: HTTP status 400 - Invalid direct reference to form login page. However, if I specified the address http://localhost:8080/client/index.html , it show me the login page and after I input the username and password I can see the member welcome page.
  I dont know whether is something wrong with the web.xml or I should do other thing to let the server know which is the first page after member login.
  Thank you very much
  Kelvin
  =====================================================
  <web-app>
  <security-constraint>
  <web-resource-collection>
  <web-resource-name>Security</web-resource-name>
  <url-pattern>/client/*</url-pattern>
  </web-resource-collection>
  <auth-constraint>
  <role-name>administrator</role-name>
       <role-name>client</role-name>
  </auth-constraint>
  </security-constraint>
  <login-config>
  <auth-method>FORM</auth-method>
  <form-login-config>
  <form-login-page>/login.html</form-login-page>
  <form-error-page>/login_error.html</form-error-page>
  </form-login-config>
  </login-config>
  </web-app>
  =====================================================

  Wow, you really are in the wrong place with this query, its not really even java ;o) This is the new to java forum! Perhaps you would be better off (in fact I know for a FACT that you will be as I have seen answers to identical problems there) in the Tomcat-user list...
  Go HERE:
  http://www.mail-archive.com/[email protected]/
  and search