on 02-25-2009 1:22 PM
Hi
I'm trying to create custom pages for FORM authentication of a Java web app, but keep getting strange errors. Please could someone point out what I'm doing wrong.
I've created custom pages for login, login-error, password-change, and password-change-error (as per config requirements).
When the user navigates to the web app, they're correctly sent to the login page. Authentication seems to work the first time. Then they log out and are redirected back to the login page. All fine so far. However, when trying to log in again, they're redirected to an error page (HTTP 404).
This is very strange, as the login worked fine the first time, but not the second time. Huh?!?!
Below is sample code (all based on the SAP Help docs):
web-j2ee-engine.xml
<web-j2ee-engine>
<spec-version>2.4</spec-version>
<security-role-map>
<role-name>Administrator</role-name>
<server-role-name>My Administrators Role</server-role-name>
</security-role-map>
<login-module-configuration>
<password-change-config>
<login-page>change-password.jsp</login-page>
<error-page>change-password-error.jsp</error-page>
</password-change-config>
<security-policy-domain>/TestWeb</security-policy-domain>
</login-module-configuration>
</web-j2ee-engine>
web.xml
<web-app>
<display-name>Test Web App</display-name>
<welcome-file-list>
<welcome-file>index.jsp</welcome-file>
</welcome-file-list>
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/login.jsp</form-login-page>
<form-error-page>/login-error.jsp</form-error-page>
</form-login-config>
</login-config>
<security-role>
<description>Admin role</description>
<role-name>Administrator</role-name>
</security-role>
<security-constraint>
<display-name>SecureConstraint</display-name>
<web-resource-collection>
<web-resource-name>WebResource</web-resource-name>
<url-pattern>/index.jsp</url-pattern>
</web-resource-collection>
<auth-constraint>
<description>Admin protected authorisation</description>
<role-name>Administrator</role-name>
</auth-constraint>
</security-constraint>
</web-app>
login.jsp
<%@ page language="java" %>
<html>
<body>
<form name="loginForm" method="POST" action="j_security_check">
Username: <input type="text" name="j_username"><br/>
Password: <input type="password" name="j_password"><br/>
<input type="submit" value="submit" />
</form>
</body>
</html>
change-password.jsp
<%@ page language="java" %>
<html>
<body>
<form name="loginChangePasswordForm" method="POST" action="sap_j_security_check">
Current Password: <input type="text" name="j_sap_current_password" /><br/>
New Password: <input type="password" name="j_sap_password" /><br/>
Confirm New Password: <input type="password" name="j_sap_again" /><br/>
<input type="submit" value="submit" />
</form>
</body>
</html>
logout.jsp
<%@ page language="java" %>
<%
request.getSession().invalidate();
response.sendRedirect("login.jsp");
%>
Any help would be greatly appreciated!
Thanks
Stuart
Any feedback on this?
I'm still stuck with it and battling to get any help from SAP (but still trying).
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hello Stuart,
the problem is in the logout.jsp page. After invalidating the session you are redirecting to login.jsp but it is not supposed to be called directly.
Please try redirecting to index.jsp instead. As the session is invalidated reauthentication will be caused and the login page will display again.
Best regards,
Tanya
Thanks very much for your response... changing the redirect seems to work.
But the exact same code works perfectly on Sun Java Application Server 9.1
Why is there inconsistency across platforms on something so fundamental?
My opinion is that SAP's implementation is incorrect - but stand to be corrected on this. Why should the login page not be called directly? Any ideas?
Ah... there's a problem. The suggestion did not work after all!
It only works if you don't navigate to a specific page. This is a VERY weird login process! Not standard at all.
I would upload demo code, but this forum won't allow attachments.
Will try put an explanation together and post it up later.
Thanks
Stuart
Just as a follow-up to this. It seems that calling HttpSession.invalidate() doesn't actually invalidate the session, as I'm still able to navigate to secured pages (without logging in again) after this call has been made.
Any thoughts on why this might be happening?
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
84 | |
24 | |
11 | |
9 | |
7 | |
6 | |
5 | |
5 | |
5 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.