I can not call sendError () after carrying out the answer

May 22, 2013 at 10:34 AM
Hello:

I'm trying to create a web application single sign-on with waffle and I'm having problems with security. The requirement of my site, it only can access those users who have a specific role but if a user does not belong to that role, when he is trying to login, the application has to load a login from to give the change to login with other user.
To carry out this I was following the waffle-mixed-post example. I have a index.jsp with this code:
<body onload="doLogin()">
        <form method="POST" name="loginform" id="loginform" action="private/loadMainPage">
            <input type="hidden" name="j_negotiate_check"/>
        </form>
    </body>
As you can imagine, the javascript doLogin is doing a submit of the form.
This is my web.xml:
<resource-ref>
    <description>Conexion a BD de tomacat</description>
    <res-ref-name>jdbc/asisa</res-ref-name>
    <res-type>javax.sql.DataSource</res-type>
    <res-auth>Container</res-auth>
</resource-ref>
<servlet>
    <servlet-name>AsisaFileUpload</servlet-name>
    <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
</servlet>
<servlet-mapping>
    <servlet-name>AsisaFileUpload</servlet-name>
    <url-pattern>/</url-pattern>
</servlet-mapping>

<security-constraint>
    <display-name>Waffle security constraints</display-name>
    <web-resource-collection>
        <web-resource-name>Protected area</web-resource-name>
        <url-pattern>/private/*</url-pattern>
        <http-method>DELETE</http-method>
        <http-method>GET</http-method>
        <http-method>POST</http-method>
        <http-method>PUT</http-method>
    </web-resource-collection>
    <auth-constraint>
        <role-name>USERSAD\aferrere</role-name>
        <!--<role-name>DOMASISA\GG_FTP_AD</role-name>-->
    </auth-constraint>
</security-constraint>
<security-constraint>
    <display-name>Login Page</display-name>
    <web-resource-collection>
        <web-resource-name>Unprotected Login Page</web-resource-name>
        <url-pattern>/login</url-pattern>
    </web-resource-collection>
</security-constraint>
<security-role>
    <role-name>USERSAD\aferrere</role-name>
    <!--<role-name>DOMASISA\GG_FTP_AD</role-name>-->
</security-role>


<error-page>
    <error-code>401</error-code>
    <location>/error_login</location>
</error-page>
<error-page>
    <error-code>403</error-code>
    <location>/login</location>
</error-page>

<login-config>
    <form-login-config>
        <form-login-page>/login</form-login-page>
        <form-error-page>/wrongLogin</form-error-page>
    </form-login-config>
</login-config>
The web site works fine at first; I mean, If an user with out the right role try to login the login form is loaded but the login form allow the access to all user. It seems that the security-constraint doesn't work at second time. The login form looks like that:
<body>
    <% 
        session.invalidate();
    %>
    <table cellspacing="0" cellpadding="0" class="tablacabecera">
            <tr>
                <td class="escudo">
                    <font size="1">
                        <img src="<c:url value='/resources/images/gif/asisa.gif'/>" />
                    </font>
                </td>
                <td class="area" align="center">
                    <h3></h3>
                </td>
                <td class="unidad">
                    Usuario<br>
                    <font color="blue" size="+2"><b><c:out value="${usuario}"/></b></font>
              </td>
            </tr>
            <tr>
                <td colspan="3" class="fondopuntos">
                    &nbsp;
                </td>
            </tr>
        </table>
    <div id="contenedora">
        <div class="arriba">
            <div class="abajo">
                <c:if test="${tipo == 'exito'}">
                    <h1 class="exitos" style="color:#008D00">${mensaje}</h1>
                </c:if>
                <c:if test="${tipo == 'error'}">
                    <h1 class="errores" style="color:#cc0000">${mensaje}</h1>
                </c:if>
                <c:if test="${tipo == '' }">
                    <h1 class="errores" style="color:#cc0000">${mensaje}</h1>
                </c:if>
                <div id="contenido">
                    <form method="POST" name="loginform" action="loadMainPage">
                        <div class="contenido-formulario">
                            <div class="campos" style="text-align:center;">
                                <table align="center">
                                    <tr>
                                        <td><label for="j_username">Usuario:</label></td>
                                        <td><input type="text" size="24" maxlength="30" name="j_username" id="j_username"/></td>
                                    </tr>
                                    <tr>
                                        <td><label for="j_password">Password:</label></td>
                                        <td><input type="password" size="24" maxlength="15" name="j_password" id="j_password"/></td>
                                    </tr>
                                    <tr>
                                        <td>&nbsp;</td>
                                        <td>&nbsp;</td>
                                    </tr>
                                    <tr>
                                        <td align="right"><input type="submit" name="1" value="Entrar" class="boton"></td>
                                        <td align="left"><input type="reset" name="Reset" value="Borrar" class="boton"></td>
                                    </tr>
                                </table>
                            </div>
                        </div>
                        <input type="hidden" name="j_security_check"/>
                    </form>
                </div>
            </div>
        </div>
    </div>
</body>
I'm runing the software in a Tomcat 6.0. The log of Tomcat give me the next message:
SEVERE: Error processing request
java.lang.IllegalStateException: I can not call sendError () after carrying out the answer
    at org.apache.catalina.connector.Response.sendError(Response.java:1292)
    at org.apache.catalina.realm.RealmBase.hasResourcePermission(RealmBase.java:845)
    at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:545)
    at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
    at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
    at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
    at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:293)
    at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:859)
    at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:602)
    at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489)
    at java.lang.Thread.run(Unknown Source)
(The log was in Spanish so I apologize if the translation is not clear)
Could someone help me?

Thank you in advance for you help.
Coordinator
May 22, 2013 at 11:23 AM
WAFFLE HAS MOVED TO GITHUB
WAFFLE HAS MOVED TO GITHUB

WAFFLE HAS MOVED TO GITHUB
WAFFLE HAS MOVED TO GITHUB

WAFFLE HAS MOVED TO GITHUB
WAFFLE HAS MOVED TO GITHUB

WAFFLE HAS MOVED TO GITHUB
WAFFLE HAS MOVED TO GITHUB

DONT POST HERE - GO HERE. The new home is http://dblock.github.com/waffle/.

DONT POST HERE - GO HERE. The new home is http://dblock.github.com/waffle/.

DONT POST HERE - GO HERE. The new home is http://dblock.github.com/waffle/.

DONT POST HERE - GO HERE. The new home is http://dblock.github.com/waffle/.

DONT POST HERE - GO HERE. The new home is http://dblock.github.com/waffle/.

We're going to give up the discussions here and move to THIS GOOGLE GROUP, please subscribe and stop posting questions here.