Java Mailing List Archive

http://www.junlu.com/

Home » Home (12/2007) » Tomcat Users »

RE: invalid direct reference to form login page...

Stefan Radzom

2003-06-28

Replies:

Your problem has just recently been discussed on this list. Ben Jessel
proposed a workaround which I attached below. Hopefully, this might work for
you.

Stefan


> -----Original Message-----
> From: ben.jessel@(protected)]
> Sent: Friday, June 27, 2003 1:42 PM
> To: tomcat-user@(protected)
> Subject: Possible workaround for invalid direct reference to
> login page
>
>
> Java Authentication with tomcat relies on realms. If you
> access a page
> protected by that realm you get directed to the login page.
> However, it is possible to go directly to the login page (
> this can happen
> when users bookmark the login page inadvertantly ).
>
> This happens in two scenarios:
>
> 1) The user is already logged in.
> 2) The user is not logged in.
>
> If you authenticate yourself once you have gone directly to the login
> page, you get a "invalid direct reference" error. Fair
> enough, the login
> page is trying to redirect to itself. Now, I tried to
> workaround this by
> checking if the session is null, and if it is, redirecting to some
> protected page, eg. protected/index.jsp. No luck. It seems
> that a session
> is implicitly created, and a new session id gets created.
>
> So I've tried a cookie strategy:
>
> <%
> if ( request.getCookies()==null ) {
> response.sendRedirect("/xxxx/jsp/protected/index.jsp");
> }
> if ( request.getRemoteUser()!=null )
> {
> response.sendRedirect("/xxxxx/jsp/protected/index.jsp");
> }
> %>
>
> i.e, we wont have a cookie if we've gone directly to the
> login page. But
> we will have if we've tried to access a protected page and
> then we've been
> forwarded to a login page, tomcat will give us a cookie.
>
> Now if we're already logged in ( which we check with
> getRemoteUser() ,
> then we just forward to user to an index page.
>
> This seems o.k. However my index page actually includes my
> login page! I'm
> planning to get around this with some logic that only
> includes the login
> page excerpt if we are not logged in......
>
> Ben
>
>

> -----Original Message-----
> From: Brian Kuhn [mailto:bnkuhn@(protected)]
> Sent: Sunday, June 29, 2003 1:16 AM
> To: tomcat-user@(protected)
> Subject: invalid direct reference to form login page...
>
>
> Hi all,
>
> I've set up Tomcat (4.1.24) to do form based authentication.
> Everything
> works great, except I've had to deal with a lot of users that
> type in the
> url I've given them, get redirected to the login page, and
> bookmark the
> login page before logging in. Later, when they use the
> bookmark, they get
> sent to the login page, but get a "Invalid direct reference
> to form login
> page..." message once they log in.
>
> I understand why this happens, but don't know what to do
> about it. Is there
> a way to specify a default page to go to when the login page
> is requested
> directly?
>
> Thanks,
>     Brian Kuhn
>     Telscape Communications
>
>
>
>
> ====================
> Brian Kuhn
> bnkuhn@(protected)
> ====================
>
> _________________________________________________________________
> The new MSN 8: smart spam protection and 2 months FREE*
> http://join.msn.com/?page=features/junkmail
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@(protected)
> For additional commands, e-mail: tomcat-user-help@(protected)
>
>



---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@(protected)
For additional commands, e-mail: tomcat-user-help@(protected)


©2008 junlu.com - Jax Systems, LLC, U.S.A.