Good day. I’ve implemented JAAS authorization with FORMS authentication using Tomcat 7.0. When I try to access localhost:8080/Guestbook/secure/123.html I’m redirected to the authorization page. I authenticate and the I’m redirected to localhost:8080/Guestbook/secure/css/style.css getting HTTP Status 404 – /Guestbook/secure/css/style.css. If I try to access the localhost:8080/Guestbook/secure/123.html resource again I can get it without being redirected to authentication page. As I understand I get authorized but I’m not redirected to the resource from the first try. What happens indeed and what could be done to prevent such behavior? In my web.xml I have the following pieces of code.
<security-constraint>
<web-resource-collection>
<web-resource-name>Security test</web-resource-name>
<url-pattern>/secure/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>Admin</role-name>
</auth-constraint>
</security-constraint>
<servlet-mapping>
<servlet-name>FrontControllerServlet</servlet-name>
<url-pattern>*.html</url-pattern>
</servlet-mapping>
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/login.jsp</form-login-page>
<form-error-page>/error.html</form-error-page>
</form-login-config>
</login-config>
I think when you are accessing
localhost:8080/Guestbook/secure/123.htmlthe browser is serving the html from the cache. And the html is usinglocalhost:8080/Guestbook/secure/css/style.css, for which the request is made to the server. And you that behaviour.I do not understand the necessity of securing static pages. But, if you really want to secure send cache headers to the browser such that the browser does not cache the html and makes request to the server always.
To disable caching static pages in browser send the following headers: