• Post Reply Bookmark Topic Watch Topic
  • New Topic

Servlet User Roles

Tom W
Posts: 1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I am trying to get a simple servlet up and running on Tomcat 3.3 using user roles/permissions as practice revision for the SCWCD.
Does anyone know of any simple examples on the web - or an easy step by step guide of each element of the servlet deployment descriptor?
Any help would be greatly appreciated
Chintan Rajyaguru
Ranch Hand
Posts: 341
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi Tom,
You have the exact same issue as I do. I am working on error handling and security and looking for some resources on the web. I have not found any resources yet. However Java Servlet Programming (oreilly) by Jason Hunter and William Crawford explains security very nicely. I don't think the security chapter is available on the internet for free. I would go to bookstore such as Barnes and Nobles and read one chapter there (just an idea).
I would love to see more responses here. Please let me know if you find something.
Ashik Uzzaman
Ranch Hand
Posts: 2373
Eclipse IDE Firefox Browser Java
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I m now using this simple form-based authentication and would like to join u two-guy's search. But temporarily u can use the following :
The HTML page (loginScreen2.html) used to invoke the login servlet...

And source code for LoginServlet.java

Waiting for the reply how to configure web.xml or tomcat 4 a user role creation...

Muhammad Ashikuzzaman (Fahim)
Sun Certified Programmer for the Java� 2 Platform
--When you learn something, learn it by heart!
Carl Trusiak
Posts: 3341
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Well, you can use the manager application that comes with Tomcat 4 as a breif example. Most of the work is done for you by the servlet engine. The two things you need to do to protect your application are:
1) Include a security constraint in your web.xml. The one with manager application is:
< !-- Define a Security Constraint on this Application -->
< security-constraint>
< web-resource-collection>
< web-resource-name>Entire Application< /web-resource-name>
< url-pattern>/*< /url-pattern>
< /web-resource-collection>
< auth-constraint>
< !-- NOTE: This role is not present in the default users file -->
< role-name>manager</role-name>
< /auth-constraint>
< /security-constraint>
This tells the servlet engine that everything under manager requires a Http Basic Authentication prior to viewing. It also states that the person logging in must belong to the manger role.
As for establishing users and roles, there are a couple of ways. The easiest is to modify the tomcat-users.xml under < TOMCAT_HOME>/conf directory and include an entry for your user. As you see by the web.xml entry above, the comment tells you that a manager hasn't been defined and you will see this in tomcat-users.xml. Add an entry such as:
< user name="admin" password="admin" roles="manager" />
And when you go to the manager application, you are greated with the login popup. Logging in with admin, admin will allow you to access the manager application.
Also if you examine the tomcat-users.xml, you'll see that a user can belong to multiple roles.

I Hope This Helps
Carl Trusiak, SCJP2, SCWCD
Ashik Uzzaman
Ranch Hand
Posts: 2373
Eclipse IDE Firefox Browser Java
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi Tom & Carl,
There are two approaches for securing your web applications. They are ---- programmatic security & declarative security. The former is implemented by the developer through programming/coding for the particular application. The later approach is offered by the J2EE which is implemented by the web container. There can be four types of declarative security mechanism. They are ----
(a) HTTP basic authentication, (b) HTTP digest authentication, (c) HTTP client or client-cert authentication(through SSL/HTTPS) and (d) Form-based authentication.

I gave you earlier an example code of programmatic security. And now here is the form-based authentication (option d) by Tomcat 4. I m giving my web.xml file that is needed to configure with tomcat-users.xml file. When a user comes first time in my site he will be automatically challenged by a request/response page for username & password. Once he gives username "ashik" & password "java" he'll never be asked the challenged again in this session.

NOTE: By default, no user is included in the "manager" role required
to operate the "/manager" web application. If you wish to use this app,
you must define such a user - the username and password are arbitrary.
<user name="tomcat" password="tomcat" roles="tomcat" />
<user name="role1" password="tomcat" roles="role1" />
<user name="both" password="tomcat" roles="tomcat,role1" />
<user name="ashik" password="java" roles="admin" />
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE web-app
PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN"
Sun Certified Web component developer (SCWCD)

<web-resource-name>Entire Application</web-resource-name>
<description>Testing Form-based Authentication in Tomcat 4</description>
<description>Cookie Servlet Administrator</description>
<description>Registered Members</description>

And the login.html that resides under my ashik4u context is like this -----

<title>Container's Login Authentication</title>
<body bgcolor=#e0d0c0 text=blue>
<h1>Please Login</h1>
<form action="j_security_check" method=post>
<table bgcolor=#e3d2c1 border=0 width="30%" callspacing=3 cellpadding=2>
<td><input type=text size=20 name="j_username"></td>
<td><input type=password size=10 name="j_password"></td>
<td><p><input type=submit value="Sign in"></td>

And yah, u already must have known the meaning for j_security_check, j_username & j_password....
Gravity is a harsh mistress. But this tiny ad is pretty easy to deal with:
the new thread boost feature: great for the advertiser and smooth for the coderanch user
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!