Bug 46509

Summary: Tomcat 5.5 security example gives j_security_check not available
Product: Tomcat 5 Reporter: Michael Moody <curufir>
Component: Webapps:ExamplesAssignee: Tomcat Developers Mailing List <dev>
Severity: trivial    
Priority: P5    
Version: 5.5.26   
Target Milestone: ---   
Hardware: PC   
OS: All   

Description Michael Moody 2009-01-10 19:02:53 UTC
The problem happens when using the security example (jsp-examples/security/) in tomcat 5.5.

If the user enters their password incorrectly they are redirected to error.jsp which has a link back to login.jsp. If you use this link and login with the correct credentials login.jsp is reloaded. If you try to login a 2nd time with the correct credentials you receive an error "The requested resource (/jsp-examples/security/protected/j_security_check) is not available."

The problem is pretty simple. Since login.jsp, index.jsp and error.jsp are all in a secure realm using the link in error.jsp to reach login.jsp triggers authentication which brings up login.jsp as this is specified as <form-login-page> in web.xml.

When the user is authenticated they are taken to the page in the realm they requested, which in this case is login.jsp. When they try to login for the 2nd time they get the error because they have already been authenticated and they are trying to load j_security_check (loading index.jsp proves they are logged in).

This fixes it:

In /jsp-examples/security/protected/error.jsp

<a href='<%= response.encodeURL("login.jsp") %>'>again</a>.

<a href='<%= response.encodeURL("/") %>'>again</a>.

Only checked on Windows and Linux, but since Tomcat is doing what it's supposed to do I imagine the example exhibits this behaviour on all platforms.
Comment 1 Michael Moody 2009-01-10 20:12:55 UTC
Typo in the fix

In /jsp-examples/security/protected/error.jsp

<a href='<%= response.encodeURL("login.jsp") %>'>again</a>.

<a href='<%= response.encodeURL("index.jsp") %>'>again</a>.
Comment 2 Mark Thomas 2009-04-08 10:17:34 UTC
Thanks for the patch. It has been applied to trunk and proposed for 6.0.x and 5.5.x
Comment 3 Mark Thomas 2009-05-02 18:19:49 UTC
This has been fixed in 6.0.x and will be included in 6.0.20 onwards.
Comment 4 Mark Thomas 2009-06-04 07:37:44 UTC
This has been fixed in 5.5.x and will be included in 5.5.28 onwards. Thanks again for the patch.