j_security_check on Tomcat

java security jakarta-ee tomcat

35,926

The action parameter in the login form page is interpreted as a URL relative to the URL of the login page, so when you submit the form the browser sends a POST request to the server with the URL /[context-path]/ProviderManager/j_security_check. The servlet container uses /[context-path]/j_security_check as the path for authentication requests to your webapp.

Any one of the following should fix this:

Change the action parameter in the login page to ../j_security_check.
Change the action parameter in the login page to /[context-root]/j_security_check
Move the login page to the application context root directory.

35,926

Author by

Guido Anselmi

Updated on September 21, 2020

Comments

Guido Anselmi over 3 years

Do I have to do anything to activate Tomcat handling the call to j_security_check? The config & HTML code is below. I am getting this error:

Error Message

type Status report

message /(context path)/ProviderManager/j_security_check

description The requested resource (/(context path)/ProviderManager/j_security_check) is not available.

web.xml

<?xml version="1.0" encoding="UTF-8"?>
<web-app version="3.0" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd">
    <session-config>
        <session-timeout>
            30
        </session-timeout>
    </session-config>

    <security-constraint>
        <display-name>Constraint1</display-name>
        <web-resource-collection>
            <web-resource-name>ProviderManager</web-resource-name>
            <description/>
            <url-pattern>/ProviderManager/*</url-pattern>
        </web-resource-collection>
        <auth-constraint>
            <description/>
            <role-name>tomcat</role-name>
        </auth-constraint>
    </security-constraint>
    <login-config>
        <auth-method>FORM</auth-method>
        <form-login-config>
            <form-login-page>/ProviderManager/login.jsp</form-login-page>
            <form-error-page>/ProviderManager/error.jsp</form-error-page>
        </form-login-config>
    </login-config>
    <security-role>
        <description/>
        <role-name>tomcat</role-name>
    </security-role>
</web-app>

tomcat-users.xml

<tomcat-users>

  <role rolename="tomcat"/>
  <role rolename="role1"/>

  <user username="tomcat" password="tomcat" roles="tomcat"/>
  <user username="both" password="tomcat" roles="tomcat,role1"/>
  <user username="role1" password="tomcat" roles="role1"/>

  <user username="ide" password="mgPNx5x5" roles="manager-script,admin"/>
</tomcat-users>

login.html

<%@page contentType="text/html" pageEncoding="UTF-8"%>
<!DOCTYPE html>
<html>
    <head>
        <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
        <title>JSP Page</title>
    </head>
    <body>
        <form action="j_security_check" method="POST">
           Username:<input type="text" name="j_username"><br>
           Password:<input type="password" name="j_password">
           <input type="submit" value="Login">
        </form>
    </body>
</html>

Thanks-in-advance,

Guido