0

Problem 1

When a user attempt to gain access to restricted files he / she does not have a role for, a HTTP-403 is given back to the user.

When than trying to re-login using the same link (BASIC authentication) to type different credentials, the failed login attempt is remembered and goes directly to an HTTP-403, without asking for username / password.

Problem 2

When a user succesfully login and get his / her session terminated, click the login button again they arent asked to type in their login credentials because their previous login "session" is remembered.

To try and fix this behavior i have tried different solutions ALL without luck

Solution 1

Call the .invalidate() method on the request.getSession(false) object

Solution 2

Disable browser cache through a filter for all *.jsp pages on requests 

httpResponse.setHeader("Cache-Control", "no-cache, no-store, must-revalidate"); // HTTP 1.1
httpResponse.setHeader("Pragma", "no-cache"); // HTTP 1.0
httpResponse.setDateHeader("Expires", 0); // Proxies

Which i found here

Add an Expires or a Cache-Control header in JSP

How to control web page caching, across all browsers?

Solution 3

Disabling Tomcat 8 cache in /META-INF/context.xml

antiJARLocking="true"
antiResourceLocking="true"
cachingAllowed="false"
cacheMaxSize ="0"
cacheTTL="1"
reloadable="false"

Found here

how to disable tomcat caching?

Undeploy, redeploy project and restart Tomcat.

For everything i have tried i have disabled browser cache such as solution 2, cleared my test browser before login test and tried private browser windows.

Redirect back to login at error

When i get the HTTP-403 error i call a servlet through web.xml that send the user back to the frontpage (where the login link is)

<error-page>
   <error-code>403</error-code>
   <location>/Http403</location>
  </error-page>

Through a response.sendRedirect(url) instead of a forward, as to force the browser to make a 'fresh' HTTP-GET for the frontpage / welcomepage. I read somewhere that this was the way to do it but not 100% if this is has any advantage or not, if someone knows please let me know.

Found the problem

From Basic Authentication : Is it possible to setRemoteUser like getRemoteUser()

The BASIC authentication is a completely different thing. It shows a bare JavaScript look-a-like dialog with username/password inputs. It stores the authentication information on the client side which get sent as a request header on every single subsequent request

Cristian Matthias Ambæk
  • 490
  • 1
  • 4
  • 25

1 Answers1

0

I think a filter can solve this problem, if a user does not hava a role, redirect to login page, otherwise he/she could access the resource in server

Shark
  • 23
  • 8
  • How would you test if the user has the correct role / roles or not? – Cristian Matthias Ambæk Jun 09 '17 at 14:31
  • Also how would you call the filter and redirect the request before the requested resources is tried accessed and makes the HTTP-403? – Cristian Matthias Ambæk Jun 09 '17 at 18:59
  • tomcat would call the filter when someone try to access a resource that matches `url-parttern` that you can configure in `web-xml`. – Shark Jun 10 '17 at 02:23
  • In my edit 2 of the original post i have tried to call the filter through the url-pattern for the restricted area, and no options i use lets me trigger the filter before the BASIC authentication. – Cristian Matthias Ambæk Jun 10 '17 at 12:33
  • when a user login, I used call HttpSession.setAttribute(), so when a user try to access resources , so i can tell if the user has correct role . I don't know if i misunderstood your words. My English ....... poor – Shark Jun 10 '17 at 16:03