Intermittent Indirect REference to login page error
Hello,
I am building a small web app in a mixed (java/microsoft) environment. We have no budget for a purchased single sign on solution, so I built one with the following architecture:
ASP page with integrated windows security, this simply returns to the url passed in as'URL' the clients current logon name.
This ASP page is called by the IntranetSSOServlet, which then builds and submit the vanilla logon page. This servlet is my logon page, it simply posts it's URL to the ASP page, and if a return is posted from ASP, the logon page is bult and submitted. The IntranetSSOServlet also sets a session variable called user to the current user's windows login.
I have two secure files, these are .jsp passthrough pages (since accessing the servlet directly did not appear to trip the security requirement and call the logon request from the server, so no users were ever in any roles). These are simple pages with a javascript redirect to the two servlets, and the jsp is only used because the servlets do not seem to trip the security requirement in the App server.
On my machine this works with no issues, single sign on is a success and all is well, on the machine next to mine it works fine also. However, on several client machines, I keep getting an invalie direct reference to login page.
My question is this:
Does anyone see any major issues with the architecture which are causing this?
It appears that the browser on some clients is attempting to go 'Back'. Is this a standard function of any software packages (spyware, internet tracking software, etc.?)
I am building with Netbeans 5.0, running Embedded Tomcat 5.5.9 and the pages are all accessed via windows XP/IE 6
Again, whats weird is that this works fine on several workstations, but throws the invalid direct reference to login on others...
I am quite confused.
Code to follow:
IntranetSSOServlet
if(request.getParameter("user") != null)
{
HttpSession session = request.getSession(true);
session.setAttribute("user",request.getParameter("user"));
//If SSO submission has returned a validated user name
//out.println(request.getParameter("user"));
//post this name and the default password to the logon
//This servlet will become the logon page, which will handle the redirects easier
out.println("<form METHOD=\"POST\" name = \"form\" action=\"../Intranet-WebModule/j_security_check\">");
//Generate a div to hide all of the input fields
out.println("<div style=\"display:;\">");
out.println("<input type=\"text\" name=\"j_username\" value=\""+request.getParameter("user")+"\"/>");
out.println("<input type=\"password\" name=\"j_password\" value=\"sas\"/></div>");
out.println("<input type=\"submit\" value=\"Submit\"/></div>");
request.getSession().setAttribute("user",request.getParameter("user"));
//out.println("<input type=\"submit\"></form>");
out.println("</form><script language=\"javascript\">//form.submit();</script>");
}
else
{
//call the SSO submission page
out.write("<script language=\"javascript\">location.replace(\"http://HOSTNAME/SSO/SSO.asp?URL=" +lookupIntranetGlobalsBean().getJSPSiteRoot()+"IntranetSSOServlet\");</script >");
}
out.close();
//
This Servlet simply returns from the ASP a string (the user's logon) and then creates the post page, which posts a single dummy password to the app server
//
JSP passthrough page (secured resource)
<%@page contentType="text/html"%>
<%@page pageEncoding="UTF-8"%>
<%--
<%@taglib uri="http://java.sun.com/jsp/jstl/core" prefix="c"%>
--%>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
</head>
<body>
<script language="javascript">
location.replace('http://HOSTNAME:8080/Intranet-WebModule/HRTools/newEmployeeAc countServlet');
</script>
</body>
</html>
