CODEWITHSUNDEEP
jakarta-eeservletsjaas
OneMoreVladimir
OneMoreVladimir

Reputation: 1673

JAAS authentication and Servlet response

Good day. I've implemented JAAS authorization with FORMS authentication using Tomcat 7.0. When I try to access localhost:8080/Guestbook/secure/123.html I'm redirected to the authorization page. I authenticate and the I'm redirected to localhost:8080/Guestbook/secure/css/style.css getting HTTP Status 404 - /Guestbook/secure/css/style.css. If I try to access the localhost:8080/Guestbook/secure/123.html resource again I can get it without being redirected to authentication page. As I understand I get authorized but I'm not redirected to the resource from the first try. What happens indeed and what could be done to prevent such behavior? In my web.xml I have the following pieces of code.

    <security-constraint>
        <web-resource-collection>
            <web-resource-name>Security test</web-resource-name>
            <url-pattern>/secure/*</url-pattern>
        </web-resource-collection>
        <auth-constraint>
            <role-name>Admin</role-name>
        </auth-constraint>
    </security-constraint>

    <servlet-mapping>
        <servlet-name>FrontControllerServlet</servlet-name>
        <url-pattern>*.html</url-pattern>
    </servlet-mapping>

    <login-config>
        <auth-method>FORM</auth-method>
        <form-login-config>
            <form-login-page>/login.jsp</form-login-page>
            <form-error-page>/error.html</form-error-page>
        </form-login-config>
    </login-config>

Upvotes: 1

Views: 943

Answers (2)

OneMoreVladimir
OneMoreVladimir

Reputation: 1673

Finally I've figured out the problem, I should have used ${pageContext.request.contextPath} expression in my href attribute of the link tag.

Upvotes: 0

Ramesh PVK
Ramesh PVK

Reputation: 15446

I think when you are accessing localhost:8080/Guestbook/secure/123.html the browser is serving the html from the cache. And the html is using localhost:8080/Guestbook/secure/css/style.css, for which the request is made to the server. And you that behaviour.

I do not understand the necessity of securing static pages. But, if you really want to secure send cache headers to the browser such that the browser does not cache the html and makes request to the server always.

To disable caching static pages in browser send the following headers:

Pragma: no-cache
Cache-Control: no-cache,no-store

Upvotes: 1

Related Questions