 |
 | Home | Contact Us | FAQ | Search & Site Map | Link to Us |
 | Sign In | Join | Other 45 Sites in Network |
Java Forum / General / May 2004Jetty vs JettyPlus Authentication
Hi, I have a simple web application. Here is some of my web.xml: <security-constraint> <web-resource-collection> <web-resource-name>user/*</web-resource-name> <url-pattern>/user/*</url-pattern> </web-resource-collection> <auth-constraint> <role-name>userRole</role-name> </auth-constraint> </security-constraint> <security-constraint> <web-resource-collection> <web-resource-name>admin</web-resource-name> <url-pattern>/admin/*</url-pattern> </web-resource-collection> <auth-constraint> <role-name>adminRole</role-name> </auth-constraint> </security-constraint> <login-config> <auth-method>FORM</auth-method> <realm-name>MyRealm</realm-name> <form-login-config> <form-login-page>/login</form-login-page> <form-error-page>/login-error</form-error-page> </form-login-config> </login-config> I login as a user with only userRole so I only have access to files under /user, then when I click on a link /admin/index.html Jetty simply forwards me to the /login-error which prompted me to enter username and password (login again). When this is done, Jetty forwarded me to the /admin/index.html page. Then I moved to JettyPlus and this behaviour changed. Now JettyPlus simply gives me a "403 User not in require role" error. If I actually define an error-page for error-code 403 I get to that page but my requestURI is not preserved. So when I relogin from that page, I don't get forwarded to /admin/index.html as I should be. Instead I go to / with the new login info. I'm sure this is a configuration issue since no one had this problem. What have I missed? Thanks in advance Sam Zin To answer my own questions, 1- as of Jetty 4.2.10, the error page for 403 errors is not by default the form-error-page 2- only javax.servlet.error.request_uri is set when you get a 403 error. 3- org.mortbay.jetty.com is not set, therefore if you set the error-page to the login page, you have to manually set the session attribute for org.mortbay.jetty.com to that of javax.servlet.error.request_uri. Then when you relogin using a different username/password, jetty forwards you to the link you wanted. In a way this is very dangerous since now you're using the same session for two different logins. I guess this is why mortbay removed this "feature". We decided to simply have a static 403.html page that said: You don't have permissions, ... Please logout and login again as a different user... peace. > Hi, > [quoted text clipped - 51 lines] > > Sam Zin Free MagazinesGet these publications absolutely FREE for up to 12 months. There are no hidden fees and no obligation. Simply choose a title, complete the application form and submit it. Read more ...
|
Reply to this Message
|
 Sign In
 Join
 My Latest Posts My Monitored Threads My Blog My Photo Gallery My Profile My Homepage Start New Thread Enable EMail Alerts Rate this Thread
|
©2008 Advenet LLC Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.