Re: [securityfilter-user] filter-mapping
Brought to you by:
chris_schultz,
maxcooper
Menu
▾
▴
Re: [securityfilter-user] filter-mapping
|
From: Christopher S. <ch...@ch...> - 2009-02-11 20:36:32
|
Martin, On 2/11/2009 1:19 PM, Martin Dubuc wrote: > I have experimented with security-filter the last few days and although it > solves some of the issues I was trying to fix for a long time, there are > things I can't do anymore with this filter in place. > > One area of concern is CGI scripts. I use CGI emulation in Tomcat to run > some legacy CGI scripts and it looks like these scripts are not compatible > with the security-filter. I also have some issues with some files, for > instance the error.jsp file that should be displayed when an exception is > thrown. Currently, when an exception occurs, the login form is presented > instead of error.jsp (it looks like the system redirects to login.jsp > instead of error.jsp). If you are getting login.jsp showing instead of error.jsp, then you probably have your <security-constraint> elements (in securityfilter-config.xml) set to something too restrictive. Remember if error.jsp is protected, you'll be forced to login before you can see it ;) Can you explain a little more about the CGI stuff? I don't see why securityfilter would be interfering with your CGI scripts. Can you give me some more details? > I thought I might be able to get around these problems by specifying a > filter mapping, but I can't get that to work. I would like to have the > security filter applied only on files that end with the jsf extension (for > instance main.jsf), but I can't get this to work. If I specify a filter > mapping /main.jsf, I can never get out of the login page (after I submit the > login page, the system redisplays the login page again and again). There are > no error logs reported in the catalina.out file. > > Even specifying a filter mapping of *.jsf does not work. If I specify the > following filter: > > <filter-mapping> > <filter-name>Security Filter</filter-name> > <url-pattern>*.jsf</url-pattern> > </filter-mapping> > > I get an HTTP status 404 when I try to access any page in my application. This looks like a legitimate filter mapping, and should only apply to *.jsf files (see section 11 of the servlet spec for more information). Are saying that a filter-mapping for /main.jsf causes all pages to redirect to the login page no matter what? That's odd, since securityfilter should only be kicking-in for requests to /main.jsf. And, if you use a filter-mapping of *.jsp then everything 404s? Hmm... if securityfilter were actually failing, I would expect a 500 Internal Server Error, not a 404. Do you have container-managed security set up in Tomcat's server.xml as well as securityfilter? That might be confusing things. Remember that securityfilter-config.xml should contain all your <security-constraint> setup, and web.xml should have none of this stuff leftover. Otherwise, you'll have sf and Tomcat fighting each other. Also note that you'll have to map j_security_check to securityfilter, otherwise you'll never be able to log in ;) > When I run certain CGI scripts, I get this log: > INFO: cgi: runCGI: bad header line "<html><head><meta http-equiv="refresh" > content="0;URL=/system/login.jsp"></head></html> > > It looks like when I try to run this script, the application redirects to > login.jsp first and this confuses the CGI emulator. securityfilter uses 302 FOUND HTTP responses to perform redirections, not META HTTP-EQUIV tricks. Whatever you are seeing here is coming from somewhere else. > Some other CGI scripts, the application just transitions to the login page > and I don't see any error or info logs in catalina.out. > > Do you understand what might be happening and is there a solution? Honestly, I have no idea what's going on. Let's get some more info. Try to keep your responses on the mailing list. -chris |
