Win a copy of Programmer's Guide to Java SE 8 Oracle Certified Associate (OCA) this week in the OCAJP forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

j_security_check and apache httpd ProxyPass

 
Antal Bos
Greenhorn
Posts: 3
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi all,

When i go to this URL of my site: http://www.mysite.com/admin/page.jsp
My Apache httpd proxy passes this to my local machine http://localhost:8080/appname/admin/page.jsp
I get a login page that is located here: http://localhost:8080/appname/login/login.jsp
This page is configured in the web.xml in the element <login-config>
And this login page uses the j_security_check of Tomcat.
So far so good.....

When i login, i'm getting back this URL: http://www.mysite.com/appname/admin/page.jsp
But this is not correct and should be: http://www.mysite.com/admin/page.jsp
Anyone know how i can solve this.

For now i just pass that new URL: http://www.mysite.com/appname/admin/page.jsp
to this: http://localhost:8080/appname/login/login.jsp
This last is working fine, but that new URL is not what i like very much.

Best regards,
Antal
 
Tim Holloway
Saloon Keeper
Pie
Posts: 18276
56
Android Eclipse IDE Linux
  • Likes 1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Welcome to the JavaRanch, Antal!

J2EE container security doesn't work quite like that, and neither do Tomcat URLs. In Tomcat, the "application" part of the URL is properly known as the application context. Since a Tomcat server can host multiple applications, that part of the URL tells Tomcat which application to route requests to.

The only way to avoid having the "application" in the URL, is to deploy the webapp under the Root context, which has the "application" of "/". However, that would be a separate application from an application deployed under a context such as "myappname", and since 2 applications cannot communicate directly, having a login page under the root context wouldn't help the "myappname" context.

That's part of your problem.

The other part is your login page. In J2EE, you cannot route to the login and loginfail pages directly. Those pages are not processed in the usual way by the webapp, so attempting to specify "j_security_check" on a user-submitted page will fail.

What actually happens is that if Tomcat sees a request for a secured URL, it will sideline that request, look in the web.xml for the login page location, and send back the login page to the user. The user then submits the form on that page and Tomcat itself (NOT the application) processes the j_security_check. The application never actually sees the login happen.

If you want some really down-and-dirty details on how the whole process works, look back in this forum to about the middle of last week and you'll find a thread where I outlined the process more completely.
 
Antal Bos
Greenhorn
Posts: 3
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi Tim,

A very clear explanation.
As i read your text about that application-context-name, it sounds pretty logic with that multi-hosted tomcat application (what i also was intended to do).

I never directly link to those login/error_login pages.
In the web.xml i have indeed only that <security-constraint> element that point to my admin-folder and uses those login-pages.
Also I didn't know that only tomcat (not the application) handles that request. Learned something there, but sounds also logic!

This is what i was thinking about now:
Is it not in someway possible to change the URL from my apache httpd proxy config-file.
I read some information about URL rewriting, but not sure if that is going to work.

Is this last the right way of working or is it then even better to use a framework like Apache Shiro?

Thanks in advance.
 
Tim Holloway
Saloon Keeper
Pie
Posts: 18276
56
Android Eclipse IDE Linux
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I'm not totally sure I understood that, but the actual URL for the login form is the property of Tomcat and isn't something you are entitled to change.

If you're using a proxy URL, the translated URL does have to retain the context ID of the webapp just like normal webapp URLs do. You cannot have a different context for the login than for the application.

While it's possible you may be able to finagle something, solutions like that have a bad habit of breaking down at the most inconvenient time (Murphy's Law), so I don't recommend trying to out-clever it.
 
Antal Bos
Greenhorn
Posts: 3
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi Tim,

The solution is even simpler then i thought!
When i go to my page http://www.mysite.com/admin/page.jsp
After login i get to this page: http://www.mysite.com/appname/admin/page.jsp
This page is indeed not there (because the URL has that appname), but now i just created a page on that location with this content:
<%
String redirectURL = "http://www.mysite.com/admin/page.jsp";
response.sendRedirect(redirectURL);
%>

This gets me back what i want.
Let me know if this is a also a bad habit or a nice easy solution?

Thanks for your replies and your help. It brought me further to a nice web-application!
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic