Skip to Main Content
Forums

Java EE (Java Enterprise Edition) General Discussion

Announcement

For appeals, questions and feedback about Oracle Forums, please email oracle-forums-moderators_us@oracle.com. Technical questions should be asked in the appropriate category. Thank you!

Cookies, JAAS, Contianer managed security !!!

843836May 4 2004 — edited May 5 2004
Hi,

I want to implement container managed security wherein the container uses JAAS.

The container here is - Tomcat 4.1.27 (along with Apache 2.0 connected using Jk2)

I have implemented a LoginModule which JAAS uses for authentication.

Everything is working fine ...
- If I request a protected resource and haven't already logged in ... I am taken to the login form screen.
- If I am unable to login I am redirected to the file I want to be redirected to (defined in Web.xml)
- If authenticate successfully but don't have enough privileges, then also I am redirected to a relevant
redirect page (defined in Web.xml)
- If I authenticate and have enough privileges for the resource I requested ... I am taken to that page.

BUT, this is the problem I am facing ...
- Once I login I cannot login as a different user by opening a different browser window.
- Tomcat simply tracks the last logged in user and if the session hasn't timed out ... it's the same old
user again :(
- Tomcat is relying on Cookies for tracking purposes ...

SO, if I turn of cookies from the context (as well as the browser) this is what is happeneing.
- If I request a protected resource and haven't already logged in ... I am taken to the login form screen.
- If I am unable to login I am redirected to the file I want to be redirected to (defined in Web.xml)
- However, If I do get authenticated, wether or not I have the privileges I get to see the HTTP Status 400
message generated by Tomcat ...
"The request sent by the client was syntactically incorrect (Invalid direct reference to form
login page)."

(Just in case someone needs to know, its the j_security_check and friends thingy)

THE QUERY, then is ...
- What is it that I have been doing wrong ???
- Why does it work with Cookies turned on ? Why doesnt it work with Cookies turned off even if
JSESSIONID is being appended to the URL ?
- And more importantly, if some one is able to make it work w/o them Cookies, will I face the same
scenario of not being able to log in using two different login IDs from the same computer using 2
different browser windows ?

Regards,
--
Gagan
Comments
Locked Post
New comments cannot be posted to this locked post.
Post Details
Locked on Jun 2 2004
Added on May 4 2004
#javaserver-pages-jsp-and-jstl
4 comments
122 views