注册 登录  
 加关注
   显示下一条  |  关闭
温馨提示!由于新浪微博认证机制调整,您的新浪微博帐号绑定已过期,请重新绑定!立即重新绑定新浪微博》  |  关闭

和申的个人主页

专注于java开发,1985wanggang

 
 
 

日志

 
 

java中使用ssl和基于表单的验证策略出错  

2009-01-21 17:41:23|  分类: java安全 |  标签: |举报 |字号 订阅

  下载LOFTER 我的照片书  |

org.quartz.impl.jdbcjobstore.LockException: Failure obtaining db row lock: - 和申 - 和申的个人主页

我在使用ssl和基于表单的验证策略时出现,出现如下的异常:

HTTP Status 400 - Invalid direct reference to form login page


type Status report

message Invalid direct reference to form login page

description The request sent by the client was syntactically incorrect (Invalid direct reference to form login page).


Apache Tomcat/5.5.23

web。xml的配置如下:
<?xml version="1.0" encoding="UTF-8"?>
<web-app version="2.5"
 xmlns="
http://java.sun.com/xml/ns/javaee"
 xmlns:xsi="
http://www.w3.org/2001/XMLSchema-instance"
 xsi:schemaLocation="
http://java.sun.com/xml/ns/javaee
 
http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd">
<!--  
 <login-config>  
          <auth-method>CLIENT-CERT</auth-method>  
          <realm-name>Wrox   Area</realm-name>  
      </login-config>
    -->  

<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/login.jsp</form-login-page>
<form-error-page>/login-failed.html</form-error-page>
</form-login-config>
</login-config>

<security-constraint>
 <web-resource-collection>
  <web-resource-name>Protected Area</web-resource-name>
  <url-pattern>/protected/*</url-pattern>
  <url-pattern>/login.jsp</url-pattern>
 </web-resource-collection>
 <auth-constraint>
  <role-name>begjsp</role-name>  
 </auth-constraint>
 
 <user-data-constraint>
  <transport-guarantee>CONFIDENTIAL</transport-guarantee>
 </user-data-constraint>
</security-constraint>

  <servlet>
    <description>This is the description of my J2EE component</description>
    <display-name>This is the display name of my J2EE component</display-name>
    <servlet-name>Test</servlet-name>
    <servlet-class>servlet.Test</servlet-class>
  </servlet>

  <servlet-mapping>
    <servlet-name>Test</servlet-name>
    <url-pattern>/protected/Test</url-pattern>
  </servlet-mapping>
  <welcome-file-list>
    <welcome-file>index.jsp</welcome-file>
  </welcome-file-list>
</web-app>

后来发现我是直接登陆login.jsp,而实际上不用事先访问login.jsp,在访问受保护资源时会自动跳转到login.jsp然后登陆成功会自动跳转回原来访问的url
按正常的访问受保护的资源:localhost:8080/protected/Test,然后自动跳转到login.jsp

关于tomcat的ssl的配置参见:java应用 tomcat中实现https安全连接的方法

参考:===========================================================================

Invalid direct reference to form login page

I am developing an application using form-based uthorization in Tomcat 4.0.3.

(My basic problem is that I want to log out, but until then I have another problem first..)

In my web.xml I have defined the login page:

<login-config>

<auth-method>FORM</auth-method>

<form-login-config>

<form-login-page>/login.jsp</form-login-page>

<form-error-page>/loginError.jsp</form-error-page>

</form-login-config>

</login-config>

The login page basically consist of the standard

<form name="loginForm" method="POST" action="j_security_check">

<input type="text" name="j_username">

<input type="password" name="j_password">

<input type="submit" value="Login Now">

</form>

It all works fine. When I try to access web-resource-collections protected by a security-constraint in web.xml I get redirected to login.jsp.

But if I go to login.jsp directly I get this strange behavior:

When entering correct user/pwd I get the error message "Apache Tomcat/4.0.3 - HTTP Status 400 - Invalid direct reference to form login page". But when entering an incorrect user/pwd I get send to the loginError.jsp page. Which means that at least the user/pwd get checked.

So can I or can't I link directly to the login.jsp page and perform a login? Any ideas?

---------------------------------------------

You can't simply point a browser at the login page because there's no way to tell it where to got next! The login page's action is a builtin process, not a servlet or JSP that could then move you along to the next page.

The idea behind the login facility is that since a user can jump into any part of a webapp that has a distinct URL, thus bypassing a login page, the whole login process is moved external to the webapp so that if someone addresses the webapp and they are not yet logged in, the original URL is intercepted, the login form is presented, and if (and ONLY if) the login succeeds will the original URL be presented.

I also discovered to my pain that in Tomcat, a login form containing page-external references (such as CSS links) loses that saved URL, so it's best to keep the login page plain.

 

org.quartz.impl.jdbcjobstore.LockException: Failure obtaining db row lock: - 和申 - 和申的个人主页

  评论这张
 
阅读(1469)| 评论(0)
推荐 转载

历史上的今天

在LOFTER的更多文章

评论

<#--最新日志,群博日志--> <#--推荐日志--> <#--引用记录--> <#--博主推荐--> <#--随机阅读--> <#--首页推荐--> <#--历史上的今天--> <#--被推荐日志--> <#--上一篇,下一篇--> <#-- 热度 --> <#-- 网易新闻广告 --> <#--右边模块结构--> <#--评论模块结构--> <#--引用模块结构--> <#--博主发起的投票-->
 
 
 
 
 
 
 
 
 
 
 
 
 
 

页脚

网易公司版权所有 ©1997-2016