form based authentication problem
My web application uses tomcat 5.5.10. By using basic authentication, the application works fine.
Buy using the form based authentication, if I submit a invalidate username/password, appication seems worked, a error.jsp was showed up. But if I submit a valid username/password, I got a "HTTP Status 408 - The time allowed for the login process has been exceeded. If you wish to continue you must either click back twice and re-click the link you requested or close and re-open your browser".
Is there anyone having this kind problem and to be solved? Please help me out.
[591 byte] By [
tacoma895a] at [2007-10-1 22:18:42]
Did you find a resolution to this? I'm experiencing the same thing.
I'm using JBoss 4.0.2 with Tomcat 5.5. For a while, I was always getting the 408 message. I realized that the login-config.xml file wasn't configured correctly. The example database realm looks like this:
<application-policy name = "Database Realm">
<authentication>
<login-module code = "org.jboss.security.auth.spi.DatabaseServerLoginModule"
flag = "required">
<module-option name = "unauthenticatedIdentity">guest</module-option>
<module-option name = "dsJndiName">java:/UsersDS</module-option>
<module-option name = "principalsQuery">SELECT PASSWORD FROM USERS WHERE USERID=?</module-option>
<module-option name = "rolesQuery">SELECT ROLEID, 'Roles' FROM USER_ROLES WHERE USERID=?</module-option>
</login-module>
</authentication>
</application-policy>
On the "rolesQuery", I had a column selected for the role group instead of just using 'Roles' literal.
When I changed that, I'm able to log in using Basic Authentication. However, I still get the 408 when using FORM authentication.
Unbelievable. Here's a link that led me to the answer.
http://simongbrown.com/jira/secure/ViewIssue.jspa?key=PEB-117
I tried hitting the link from another computer in my LAN and it worked. I closed my personal firewall (eTrust EZ Armor Firewall - looks the same as ZoneAlarm) and everything works fine now.
I can't really explain it other than I'm guessing its blocking the cookie that the site is trying to set.
Tacoma, I'd be interested in knowing if you're problem is related.
A side note... in the log files, I was seeing this:
When I was getting the 408:
DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Security checking request POST /dev/student/images/j_security_check
DEBUG [org.apache.catalina.authenticator.FormAuthenticator] Authenticating username 'barg27'
....
DEBUG [org.apache.catalina.authenticator.FormAuthenticator] Authentication of 'barg27' was successful
DEBUG [org.apache.catalina.core.ContainerBase.[jboss.web].[localhost].[/dev]] User took so long to log on the session expired
DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Failed authenticate() test ?/dev/student/images/j_security_check
When I hit it from another PC:
DEBUG [org.apache.catalina.connector.CoyoteAdapter] Requested cookie session id is 27C5EB29FD1FDEAA91647836F55D7148
DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Security checking request GET /dev/student/images/arrows.gif
DEBUG [org.apache.catalina.realm.RealmBase]Checking constraint 'SecurityConstraint[StudentPages, AuthenticatedPages]' against GET /student/images/arrows.gif --> true
DEBUG [org.apache.catalina.realm.RealmBase]Checking constraint 'SecurityConstraint[StaffPages]' against GET /student/images/arrows.gif --> false
DEBUG [org.apache.catalina.realm.RealmBase]Checking constraint 'SecurityConstraint[StudentPages, AuthenticatedPages]' against GET /student/images/arrows.gif --> true
DEBUG [org.apache.catalina.realm.RealmBase]Checking constraint 'SecurityConstraint[StaffPages]' against GET /student/images/arrows.gif --> false
DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Calling hasUserDataPermission()
DEBUG [org.apache.catalina.realm.RealmBase]User data constraint has no restrictions
DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Calling authenticate()
DEBUG [org.apache.catalina.authenticator.FormAuthenticator] Restore request from session '27C5EB29FD1FDEAA91647836F55D7148'
DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Authenticated 'barg27' with type 'FORM'
DEBUG [org.apache.catalina.authenticator.FormAuthenticator] Proceed to restored request
DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Calling accessControl()
DEBUG [org.apache.catalina.realm.RealmBase]Checking roles GenericPrincipal[barg27 (admin,student,)]
DEBUG [org.apache.catalina.realm.RealmBase] Username barg27 has role student
DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Successfully passed all security constraints
Notice the use of the session ID that's shown in the logs in several occassions when its working.
