Bug 46509 - Tomcat 5.5 security example gives j_security_check not available
Tomcat 5.5 security example gives j_security_check not available
Status: RESOLVED FIXED
Product: Tomcat 5
Classification: Unclassified
Component: Webapps:Examples
5.5.26
PC All
: P5 trivial (vote)
: ---
Assigned To: Tomcat Developers Mailing List
:
Depends on:
Blocks:
  Show dependency tree
 
Reported: 2009-01-10 19:02 UTC by Michael Moody
Modified: 2009-06-04 07:37 UTC (History)
0 users



Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Michael Moody 2009-01-10 19:02:53 UTC
The problem happens when using the security example (jsp-examples/security/) in tomcat 5.5.

If the user enters their password incorrectly they are redirected to error.jsp which has a link back to login.jsp. If you use this link and login with the correct credentials login.jsp is reloaded. If you try to login a 2nd time with the correct credentials you receive an error "The requested resource (/jsp-examples/security/protected/j_security_check) is not available."

The problem is pretty simple. Since login.jsp, index.jsp and error.jsp are all in a secure realm using the link in error.jsp to reach login.jsp triggers authentication which brings up login.jsp as this is specified as <form-login-page> in web.xml.

When the user is authenticated they are taken to the page in the realm they requested, which in this case is login.jsp. When they try to login for the 2nd time they get the error because they have already been authenticated and they are trying to load j_security_check (loading index.jsp proves they are logged in).

This fixes it:

In /jsp-examples/security/protected/error.jsp

Change:
<a href='<%= response.encodeURL("login.jsp") %>'>again</a>.

To:
<a href='<%= response.encodeURL("/") %>'>again</a>.

Only checked on Windows and Linux, but since Tomcat is doing what it's supposed to do I imagine the example exhibits this behaviour on all platforms.
Comment 1 Michael Moody 2009-01-10 20:12:55 UTC
Typo in the fix

In /jsp-examples/security/protected/error.jsp

Change:
<a href='<%= response.encodeURL("login.jsp") %>'>again</a>.

To:
<a href='<%= response.encodeURL("index.jsp") %>'>again</a>.
Comment 2 Mark Thomas 2009-04-08 10:17:34 UTC
Thanks for the patch. It has been applied to trunk and proposed for 6.0.x and 5.5.x
Comment 3 Mark Thomas 2009-05-02 18:19:49 UTC
This has been fixed in 6.0.x and will be included in 6.0.20 onwards.
Comment 4 Mark Thomas 2009-06-04 07:37:44 UTC
This has been fixed in 5.5.x and will be included in 5.5.28 onwards. Thanks again for the patch.