Hi,
I have set up a form based login screen (using j_security_check) and have
the following web.xml :
<?xml version="1.0" encoding="UTF-8"?>
<web-app version="2.5" xmlns="
http://java.sun.com/xml/ns/javaee" xmlns:xsi="
http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="
http://java.sun.com/xml/ns/javaee
http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd">
<display-name>PWA-Group</display-name>
<session-config>
<session-timeout>
30
</session-timeout>
</session-config>
<welcome-file-list>
<welcome-file>login.jsp</welcome-file>
</welcome-file-list>
<security-constraint>
<display-name>Constraint1</display-name>
<web-resource-collection>
<web-resource-name>All</web-resource-name>
<description/>
<url-pattern>/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
<http-method>HEAD</http-method>
<http-method>PUT</http-method>
<http-method>OPTIONS</http-method>
<http-method>TRACE</http-method>
<http-method>DELETE</http-method>
</web-resource-collection>
<auth-constraint>
<description/>
<role-name>Admin</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<realm-name>PWA-group</realm-name>
<form-login-config>
<form-login-page>/login.jsp</form-login-page>
<form-error-page>/loginError.html</form-error-page>
</form-login-config>
</login-config>
<security-role>
<description/>
<role-name>Admin</role-name>
</security-role>
</web-app>
and the following sun-web.xml:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE sun-web-app PUBLIC "-//Sun Microsystems, Inc.//DTD Application
Server 9.0 Servlet 2.5//EN" "
http://www.sun.com/software/appserver/dtds/sun-web-app_2_5-0.dtd">
<sun-web-app error-url="">
<context-root>/pwa_cms</context-root>
<security-role-mapping>
<role-name>Admin</role-name>
<principal-name>XXXXXX</principal-name>
<group-name>Administrator</group-name>
</security-role-mapping>
<class-loader delegate="true"/>
<jsp-config>
<property name="classdebuginfo" value="true">
<description>Enable debug info compilation in the generated servlet
class</description>
</property>
<property name="mappedfile" value="true">
<description>Maintain a one-to-one correspondence between static
content and the generated servlet class' java code</description>
</property>
</jsp-config>
</sun-web-app>
I have set up the Glassfish Realm correctly such that when the app is
deployed if a user attempts to access a restricted area the login form (
login.jsp) is displayed. If the user then attempts to login but with wrong
details then the loginError.html page is correctly displayed. However, when
the user attempts to login using the correct details IE gives a 403 error
(could connect but not authorized..) and the web-address displayed in the
address bar is {XXX}/pwa-cms/j_security_check.
This leads me to believe that the j_security_check servlet is being called
correctly, it then checks the details are correct and if not redirects to
the loginError page. However it seems that when it has confirmed the details
are authentic it then doesn't allow the user to see the reqested
resource/page.
Could someone help me out please and spread some light on this problem?
Much appreciated,
Hugh