Quick little post to share the results of a day's worth of wasted effort. I was creating a tracer bullet prototype of a web application for a customer and was configuring the security using an LDAP server (Apache Directory Server and Apache Directory Studio - a very good combo). Having configured the LDAP server I set up form based security and pointed a browser at the web application. I first tested the failed login and sure enough I got the login error page. I tested the correct login and disaster - I got an HTTP 408 page from Tomcat telling me that the session had expired because I had taken to long to login.
I followed all the usual paths, I checked that the LDAP was authenticating correctly, I checked that the browser was handling cookies correctly, I looked at the Tomcat logs for any unexpected exceptions. I did a whole lot more.
Eventually, after building my own version of Tomcat with lots of trace, I found the problem. The Login JSP that I was using had a nasty little taglet that included a session invalidate command. After removing this everything worked correctly.
I must remember that when I reuse code from elsewhere in a project, I should check for any gotchas.
3 comments:
Man I wish mine was so simple. I've been banging my head against a wall with the same kind of 408 error using realm security.
It is only a problem in IE though. Any ideas what else to look at? I'm running out of ideas
My best suggestions would be first (if you haven't already done so) to download the Internet Explorer Developer Toolbar and inspect the session cookies before, during and after the failed login. Next I would download the Tomcat source and put in additional debugging to try an work out why a 408 is being returned (how I solved my problem).
Hey Bob
Seemed to be a frame problem. As the website is hosted on apache and the app is on tomcat I wanted to mask using the IP and was using a frame.
Removing the frame and increasing the timeout limit and hey presto
Post a Comment