• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

How to secure my page

 
Ranch Hand
Posts: 98
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I have a login.jsp if we provide correct userid/passwor it through the user
to say some homepage.jsp


httt://localhost:9080/Test_Application/login.jsp will through to say the page
httt://localhost:9080/Test_Application/homepage.jsp?usid="admin"&pwd="123"
No problem till now


Now if I directly try to open the
httt://localhost:9080/Test_Application/homepage.jsp?usid="admin"&pwd="123"
it opens perfectly

What I want as homepage is comming through a validation of userid/password
So directly no one should come to homepage.jsp

they should redirect to login.jsp and aske for userId/password
How can I do it ? I am using Websphere application server
 
Rancher
Posts: 43081
77
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Several points to note:

- Don't put security logic into a JSP, put it into a servlet.

- Never use (or even allow) GET for passwords; use POST instead.

- The standard way to implement authentication is to use servlet security, as defined by the servlet spec.
[ August 04, 2008: Message edited by: Ulf Dittmer ]
 
Monoj Roy
Ranch Hand
Posts: 98
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I have read the suggested article
Here below is my web.xml



and loginForm.html is as follows



Following is my first page



when I am clicking on the following link
<p>Request a secure page <a href="secure/securepage.html">here!</a></p>

It is pointing me to the secure page not even asking for log in .Can anybody help me where I am wrong ? I am using Websphere Application Server
WSAD 5.1.2
 
Ulf Dittmer
Rancher
Posts: 43081
77
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
<url-pattern>s that are not extensions (like *.jsp) must start with a slash; in other words, they must be absolute, not relative.
 
Monoj Roy
Ranch Hand
Posts: 98
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I have tried with the following but none of one is working

try1: <url-pattern>/secure</url-pattern>

try2 :<url-pattern>/secure/*</url-pattern>

try3:<url-pattern>/secure/*.html</url-pattern>


Most importantly I am not getting the idea of action="j_security_check"
is this a inbuild one action ? Is this action is forced to look into the web.xml for a <security-constraint> and if so then how it maps to the loginForm in the <login-config> there must be a mapping between action and <security-constraint> and <login-config> .I can have several jsps /htmls and there forms but which one to map ?

As I am new to this security world and learning it so please help.
 
Ulf Dittmer
Rancher
Posts: 43081
77
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Both the first and the second form you used will work when the web.xml file is set up correctly; the third will not work no matter what (you can only either use path mapping or extension mapping).

You can only have a single login form that is used for all URLs you have set up to be protected. The j_security_check action is built into the servlet container, and it will make sure that the login credentials you entered are in valid. If they are, it will redirect the user to the URL originally requested.

What does "none is working" mean? What URL are you accessing, and what is happening? How have you set up security? Post the relevant excerpt from web.xml.
 
Monoj Roy
Ranch Hand
Posts: 98
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Thanks for the reply .
here all the details are listed


In my WebContent folder there is a folder named secure and inside it I have
put one html named securepage.html

I also have created three htmls which are in the root (in same directory as WebContent).They are index.html,LoginError.html,and LoginForm.html

Now in index.html I have a link to secure/securepage.html as follows
<p>Request a secure page <a href="secure/securepage.html">here!</a></p>
So it should go to securepage.html when I click on the link(The word here) .

What I am expecting now as I am requesting a page from folder secure which is secure as setup in the web.xml as follows it should open the loginForm.

<security-constraint>
<web-resource-collection>
<web-resource-name>SecurePages</web-resource-name>
<description>Security constraint for resources in the secure directory</description>
<url-pattern>/secure/*</url-pattern>
<http-method>POST</http-method>
<http-method>GET</http-method>
</web-resource-collection>

<auth-constraint>
<description>only let the system user login </description>
<role-name>admin</role-name>
</auth-constraint>

<user-data-constraint>
<description>SSL not required</description>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>



My loginForm is not opening instead it opens the securepage.html what I don't want .
 
Ulf Dittmer
Rancher
Posts: 43081
77
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Do you have a <login-config> element in your web.xml?

You might want to read through this introductory article; it explains all these concepts.
 
Monoj Roy
Ranch Hand
Posts: 98
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
More specifically the problem is

http://localhost:9080/logintest/index.html
is redirected to the following
http://localhost:9080/logintest/secure/securepage.html

it is not opening the loginForm.html in between .and not
validating the login credentials
 
Ulf Dittmer
Rancher
Posts: 43081
77
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
So what's the answer to my question?
 
Monoj Roy
Ranch Hand
Posts: 98
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Yes I am using that .even I have created the sample application from the
site you have refered to .Here below is the total web.xml

 
Ranch Hand
Posts: 117
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hello.

I'd like to know how to use security with users in a DB. I mean, all four specs (basic, digest, form and client-cert) for security are always described to be used with the users in tomcat-users.xml (or a similar file). But I want to set the configuration so that it can take the users from a database.

What I don't want either is to control the access with my own code. I want tomcat to control the access, but I want my code to authenticate users and tell Tomcat "Yes, let her/him in" or "No. Show login page".

Thank you very much.

Antonio
 
Ulf Dittmer
Rancher
Posts: 43081
77
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
The details for Tomcat are described in http://tomcat.apache.org/tomcat-5.5-doc/realm-howto.html
You can either use a JDBCRealm or a DataSourceRealm.

What I don't want either is to control the access with my own code. I want tomcat to control the access, but I want my code to authenticate users and tell Tomcat "Yes, let her/him in" or "No. Show login page".


The way realms work is that they look up user/password info somewhere (in a DB for the realms I mentioned), and that you don't have to code anything. I don't understand where (and why) you want to hook code of your into this process.

It's certainly possible if you want to - you can write a class that extends one of the Realm classes, and have that do anything you want it to do. But it's not generally necessary, and if for some reason it is, you may be better off not using the Realm functionality at all and implement security completely in your code. It's not that much work.

Forgive my horrible English, I'm Spanish.


I don't think it's horrible at all. (Of course, not being a native English speaker myself, who am I to judge that?)
[ August 29, 2008: Message edited by: Ulf Dittmer ]
 
Antonio Fornie
Ranch Hand
Posts: 117
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Thank you very much. Well, I don't need the code to be mine, in fact I'd rather not to code as long as I can use my user's table without changing anything.

I was looking for something similar to that you can do with Spring (JdbcDaoImpl): you use your own tables, and you only have to say how to access (with a query) them in order to adapt to what Spring needs. But I wanted to be able to use basic, digest...

Anyway, I've been reading your link and that's exactly what I need. I wasn't sure it existed. Thank you very much

Antonio
 
Antonio Fornie
Ranch Hand
Posts: 117
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Please. I've got another question.

I've used a "org.apache.catalina.realm.JDBCRealm" and it's working perfectly. I only had to configure my table and column names and the rest is almost done.

But the problem is, Tomcat is accesing my database, retrieving the user and keeping in session some kind of information related with the user. But the rest of the application will need the user too (I have to show in the menus only the sales of the user).

I don't want that first Tomcat access the databse and later, in the same request my code access the databse again to retrieve the same data. Is there a way I can access DB only once? Is there a way to access the info Tomcat stores in session?

That's absolutely necessary. Otherwise I'd have to ask the user to login once again as I know the user is logged but I don't know wich user is it.

Thank you very much.

Antonio
 
Ulf Dittmer
Rancher
Posts: 43081
77
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
That's what the HttpServletRequest.getRemoteUser method tells you. The HttpServletRequest.isUserInRole method may also be of interest.
 
Antonio Fornie
Ranch Hand
Posts: 117
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Thank you very much. That's all I needed.
 
Don't get me started about those stupid light bulbs.
reply
    Bookmark Topic Watch Topic
  • New Topic