Menu
▾
▴
#504 Tomcat FORM Authentication - redirect from /zkau
Running JBoss 4 with Tomcat as web-server, deploying a WAR or EAR using web.xml <auth-method>FORM</auth-method> based authentication via JBoss JAAS.
1. User is on a ZUL page.
2. The application WAR/EAR is redeployed
3. The user presses 'refresh' or clicks a link and is asked to login in via an HTML form (JBoss invalidates the old session, causing the old login to be lost)
4. When the login form is submitted and the user is authenticated the user browser gets sent to the URL
/my/context/zkau
which simply returns XML containing <rs/>
If a user comes in from a non ZUL page (e.g. JSF page) this does not happen.
This is probably a Tomcat issue, but would it be possible to modify the DHtmlUpdateServlet class to redirect a call to "/zkau" (no path-info, no parameters) back to the context root?
Dave
P.S. This has been an issue since ZK 2.2
Logged In: YES
user_id=1582062
Originator: YES
More Info
2 parameters are passed, namely: dtid="gpip1" and cmd.0="rmDesktop"
Looking at the 2.3.1 code a response.redirect( context-root ) in DHtmlUpdateServlet.process() when desktop==null ('else' on firefox check) rather than calling flushXMLWriter() would do the trick.
Dave
Logged In: YES
user_id=1582062
Originator: YES
File Added: LoginFixFilter.java
Sample web.xml Filter to avoid bad redirect after login
Logged In: YES
user_id=386673
Originator: NO
This is cause by time racing .
1.TOMCAT uses internal org.apache.catalina.Session to save request information when authentication.
2.ZK will send two requests when refresh page(say /yourpage), removeDesktop(/zkau) and load page(/yourpage)
3.Because of 1 and 2, it causes time racing when setting the request information to session.
4.if removeDesktop is processed latest then after user authenticated, page will redirect page to /zkau not /yourpage
To avoid this, please remove the authentication constraint on /zkau, since /zkau is controlled by ZK, it is no need to display a password page to user.
If this solution can not solve your problem, please re-open this bug, and post your comments. thanks.
/Dennis
Logged In: YES
user_id=1582062
Originator: YES
Unfortunately web.xml does not have a simple mechanism to exclude a servlet or URL from authentication. To do as you suggest ("remove the authentication constraint on /zkau") would require a rewrite of all the authorization sections in web.xml to specifically include all non-'/zkau' items. Of course, this raises the danger of not including everything, especially during future project maintenance (common convention in web.xml is to include everything, i.e. "/*").
An option could be to put the application under an 'app' directory and put login constraints on that but not on the web-context root. But that would require a rework of application URLs plus reworking all current and future servlet URLs.
Dave
Logged In: YES
user_id=386673
Originator: NO
Hi,
This is conflict between TOMCAT and ZK as I explained in last comment.
There is a option can solve this problem,
you can stop the firing of removeDesktop command by adding following configuration in zk.xml
<client-config>
<keep-across-visits>true</keep-across-visits>
</client-config>
But desktop will be removed until the cached desktop number large then configuration.
To configure max desktop number, you can add following configuration in zk.xml
<session-config>
<max-desktops-per-session>4</max-desktops-per-session>
</session-config>
If no further question, I will close this bug this week.
/Dennis
Logged In: YES
user_id=1582062
Originator: YES
I have not looked at the 3.0.1 code, but could the suggested fix on 2.3.1 be applied (maybe via a zk.xml option)? (see comment at end dated 2007-07-12 08:12).
To me this is the same situation as your zk.xml timeout-url option, and should be handled as elegantly. If the client makes an XML AJAX request, but gets an HTML response (or a HTTP authentication request) could you not react accordingly (i.e. simply refresh the page)?
Dave
P.S. A colleague has encoutered exactly the same problem with JBoss RichFaces
The feature request you have made has expired, as your request may have
already been completed, please check the latest release notes of ZK at
http://www.zkoss.org/product/zk/releasenote or go to
http://tracker.zkoss.org to request again.
Sorry for the inconvenience and thank you for your corporation.