HELP!! form based authentication Qs

I'am trying to access my webpages with the form based authentication (HTTPs) but i have always the same message: Invalid direct reference to form login page

The request sent by the client was syntactically incorrect (Invalid direct reference to form login page).

Inside my web.xml, I put my login.jsp as main page for the project folder (project/login.jsp)....
Initially i put index.jsp but the login.jsp file will appear as the main page which i do not want. I only want to protect the /project/admin/* .

**************WEB.XML***************************************
<!-- Project main page mapping -->
<context-param>
<param-name>project</param-name>
<param-value>/project/login.jsp</param-value>
</context-param>


<!-- Add Project input and output pages mappings -->
<context-param>
<param-name>addProj</param-name>
<param-value>/project/admin/addProj.jsp</param-value>
</context-param>
<context-param>
<param-name>addProj1</param-name>
<param-value>/project/admin/addProj1.jsp</param-value>
</context-param>
<context-param>
<param-name>addProj2</param-name>
<param-value>/project/admin/addProj2.jsp</param-value>
</context-param>
.......................
........................
<!-- Security constraint 3 - project/role2-->
<security-constraint>

<web-resource-collection>
<web-resource-name>Admin only</web-resource-name>
<url-pattern>/project/admin/*</url-pattern>
</web-resource-collection>

<auth-constraint>
<!-- Anyone with one of the listed roles may access this area -->
<role-name>tomcat</role-name>
<role-name>superuser</role-name>
<role-name>role2</role-name>
</auth-constraint>

<!-- HTTPS/SSL-->
<!--
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
-->

</security-constraint>



<!-- Login configuration -->
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>project/login.jsp</form-login-page>
<form-error-page>project/loginError.jsp</form-error-page>
</form-login-config>
</login-config>


<!-- Security roles -->
<security-role>
<description>
Superuser can access any page
</description>
<role-name>superuser</role-name>
</security-role>

<security-role>
<description>
role1 can access only pages in folder /employee
</description>
<role-name>role1</role-name>
</security-role>

<security-role>
<description>
role2 can access only pages in folder /project
</description>
<role-name>role2</role-name>
</security-role>



********************project/login.jsp*****************
<%--
login.jsp
--%>

<%@ page errorPage="/error.jsp" %>


<HTML>
<HEAD>
<TITLE>Login page</TITLE>
</HEAD>

<BODY>
<!-- Header -->
<%@ include file="headerLogin.html"%>

<!-- Body -->
<TABLE WIDTH="100%">
<TR HEIGHT="400">
<!-- Menu column -->
<TD WIDTH="20%" BGCOLOR="#003366" VALIGN="TOP">
<!-- Menu column -->
<%@ include file="/menu00.html"%>
</TD>
<TD VALIGN="TOP">
<!-- Put your contents between these comment lines -->

<%@ include file="login.jsf"%>

<!-- Put your contents between these comment lines -->
</TD>
</TR>
</TABLE>

<!-- Footer -->
<%@ include file="/footer.html"%>

</BODY>
</HTML>


************************project/login.jsf*****************
<%--
login.jsf

Adapted from Tomcat
%CATALINA_HOME%\webapps\examples\jsp\security\protected\login.jsp

--%>

<html>
<head>
<title>Login Page</title>
<body bgcolor="white">
<!--
<form method="POST" action='<%= response.encodeURL("j_security_check") %>' >
-->
<form method="POST" action="j_security_check" >



<table border="0" cellspacing="5">



<tr>
<th align="right">Username:</th>
<td align="left"><input type="text" name="j_username"></td>
</tr>
<tr>
<th align="right">Password:</th>
<td align="left"><input type="password" name="j_password"></td>
</tr>
<tr>
<td align="right"><input type="submit" value="Log In"></td>
<td align="left"><input type="reset"></td>
</tr>
</table>
</form>
</body>
</html>


*********************project/index.jsp******************
<%--
index.jsp
--%>

<%@ page errorPage="error.jsp" %>


<HTML>
<HEAD>
<TITLE>Main project page</TITLE>
</HEAD>

<BODY>
<!-- Header -->
<%@ include file="/header.html"%>

<!-- Body -->
<TABLE WIDTH="100%">
<TR HEIGHT="400">
<!-- Menu column -->
<TD WIDTH="20%" BGCOLOR="#003366" VALIGN="TOP">
<!-- Menu column -->
<%@ include file="admin/menu02.html"%>
</TD>
<TD VALIGN="TOP">
<!-- Put your contents between these comment lines -->

<%@ include file="index.jsf"%>

<!-- Put your contents between these comment lines -->
</TD>
</TR>
</TABLE>

<!-- Footer -->
<%@ include file="/footer.html"%>

</BODY>
</HTML>


*********************project/index.jsf******************
<%--
index.jsf

Adapted from Tomcat
%CATALINA_HOME%\webapps\examples\jsp\security\protected\index.jsp

URL
--%>


<%
if (request.getParameter("logoff") != null) {
session.invalidate();
response.sendRedirect("index.jsp");
return;
}
%>
<html>
<head>
<title>Protected Page</title>
</head>
<body bgcolor="white">

<!-- Login info -->
<H3>Login details</H3>
You are logged in as remote user <b><%= request.getRemoteUser() %>
</b>in session <b><%= session.getId() %></b>
<BR>
<%
if (request.getUserPrincipal() != null) {
%>
Your user principal name is
<b><%= request.getUserPrincipal().getName() %></b>
<%
} else {
%>
No user principal could be identified.
<%
}
%>
<BR>
<BR>


<!-- Role info -->
<H3>Role info</H3>
<%
String role = request.getParameter("role");
if (role == null)
role = "";
if (role.length() > 0) {
if (request.isUserInRole(role)) {
%>
You have been granted role <b><%= role %></b>
<BR>
<%
} else {
%>
You have <i>not</i> been granted role <b><%= role %></b>
<BR>
<%
}
}
%>
To check whether your username has been granted a particular role,
enter your username and press enter:
<!--
<form method="GET" action='<%= response.encodeURL("index.jsp") %>'>
-->
<form method="GET" action="index.jsp">

<input type="text" name="role" value="<%= role %>">
</form>
<BR>
<BR>


<!-- Logout -->
<H3>Logout</H3>
If you have configured this application for form-based authentication,
you can log off by clicking
<!--
<a href='<%= response.encodeURL("index.jsp?logoff=true") %>'>here</a>.
-->
<a href="index.jsp?logoff=true">here</a>.
<BR>
This will redirect you to the login page.
</body>
</html>

****************************************************************


It only can work if i change security constraint to protect the whole application. And the 1st main page will be the login.jsp (I do not want this)
And i only want the protect my project/admin/* but not /* .


<!-- Security constraint 3 - project/role2-->
<security-constraint>

<web-resource-collection>
<web-resource-name>whole application</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>

........................
<!-- Project main page mapping -->
<context-param>
<param-name>project</param-name>
<param-value>/project/admin/index.jsp</param-value>
</context-param>
....................
...................

Why this happen? Why can't it access the project/index.jsp if i do no protect the whole application?


How can i login to my page directly from login page (and not the 1st page) and protect only my project/admin/* ?

Hi baggiolee. welcome to the forums!

Please don't spam different boards with the same question:
Post in Security
Post in Java Servlets & JSP

Regards

It's because you access your login page directly. If you type in a protected url the login form will return.

This behaviour is too bad because it prevents me from having a login form on non protected pages (e.g. homepage)