• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

Problem understanding Security-Constraint

 
Ranch Hand
Posts: 139
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi All,
I am trying to constrain access to a file jstlChoose.do, which is a jsp and I have mapped it to jstlChoose.do in web.xml.
As per HFSJ <security-constraint> element in web.xml does this job. I did the following in my web.xml
--------------------------------------------------------------------------
<security-constraint>
<web-resource-allocation>
<web-resource-name>JSTL Choose</web-resource-name>
<url-patterns>/jstlChoose.do</url-patterns>
<http-method>GET</http-method>
</web-resource-allocation>
<auth-constraint>
<role-name>admin</role-name>
<role-name>manager</role-name>
</auth-constraint>
</security-constraint>

<login-config>
<auth-method>BASIC</auth-method>
</login-config>

<security-role>
<role-name>admin</role-name>
<role-name>manager</role-name>
<role-name>guest</role-name>
</security-role>

-------------------------------------------------------------

Now, if I understand correctly only admin and manager are allowed to call GET method on this jstlChoose.do. but when I try to access this file using

http://localhost:8080/TestJSP/jstlChoose.do

I am still able to see the result.
Am I doing something wrong? Do I have to set some variable to a user role first and then try accessing this file? I am really confused...
Any help is welcome,

Regards,

Sushma
 
Ranch Hand
Posts: 951
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi,

Your web.xml entries.

<security-constraint>
<web-resource-allocation>
<web-resource-name>JSTL Choose</web-resource-name>
<url-patterns>/jstlChoose.do</url-patterns>
<http-method>GET</http-method>
</web-resource-allocation>
<auth-constraint>
<role-name>admin</role-name>
<role-name>manager</role-name>
</auth-constraint>
</security-constraint>

<login-config>
<auth-method>BASIC</auth-method>
</login-config>

<security-role>
<role-name>admin</role-name>
<role-name>manager</role-name>
<role-name>guest</role-name>
</security-role>



Please make correction in above as follows . It should run

<security-constraint>
<web-resource-collection> // It should be collection not allocation
<web-resource-name>JSTL Choose</web-resource-name>
<url-patterns>/jstlChoose.do</url-patterns>
<http-method>GET</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>admin</role-name>
<role-name>manager</role-name>
</auth-constraint>
</security-constraint>

<login-config>
<auth-method>BASIC</auth-method>
</login-config>

// Make seperate entries, otherwise it is not valid.
<security-role>
<role-name>admin</role-name>
</security-role>
<security-role>
<role-name>manager</role-name>
</security-role>
<security-role>
<role-name>guest</role-name>
</security-role>


Thanks
 
Sushma Sharma
Ranch Hand
Posts: 139
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi Narendra,

Thank you for pointing out my blunders. I made the changes and tried to run the code, but even now the results are same.
I am still able to get the results of jstlChoose.do just by typing the url in my browser. It doesn't ask me for any user name or password...
What is going wrong?

Regards,
Sushma
 
Narendra Dhande
Ranch Hand
Posts: 951
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi,

I had tested this stuff on the tomcat ( 5.0.28) . To work the auth mechanism, I am running the tomcat with security option on ( I really don't know why it is required). Also I have definded the roles and users in the tomcat-users.xml file. I heard that the Relam used in the latest version is set to other than memory relam (Some JNDI Name) , so check user tomat server.xml file for the setup. You may required to change the default relam type. Other wise there is no error in the web.xml It should work.

Thanks
 
Sushma Sharma
Ranch Hand
Posts: 139
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi,

Could you please tell me how to do "security option" on... I am really not aware of it. I have added admin and manager roles in tomcat-users.xml, but it was still behaving the same.
I did check server.xml and it has the old memory realm commented out and a global JNDI realm is there now. I don't know what a "Realm" is and what difference does it make to our application. could you explain a little?

Thanks in advance,

Regards,
Sushma
 
Narendra Dhande
Ranch Hand
Posts: 951
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi,

I can not explain the realm with technical terms, but realm is a context in which your passward mechnism is bounded. There are different realm definded in the server.xml which use JNDI names, or JDBC. Thses realm use database to store the username, passwards and roles. To use this you have to go through the server documentattion. The default realm is memmory realm, which strore all this information in memory and read the information from tomcat-users.xml file. To run the tomcat with security option, while starting the tomcat add -security command line option after the executable file. See the online documentation provided with the tomcat. The default tomcat /admin or /application application managers uses the security. you can look into the web.xml for these applications. But I really confused why the security option is required to run auth mechanism.

Thanks
 
Narendra Dhande
Ranch Hand
Posts: 951
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi,

There is really a a problem using security mechanism. I was trying to test the above using tomcat 5.5.7 on XP machine with service pack 2. It work one time correctlty with security option on and then there is no authentication screen. Next few minutes the tomcat server was carshed. There is really something wrong with tomcat on XP. From last one month I had reinstalled tomact atleast 3 times. So I installed tomcat 5.5.7 on another machine having win 2000. The above web.xml is working fine. It display proper Basic auth screen. I think there is really problem with the firewall which comes with XP 2. It is unnecessarily blocking some modules and popups.

I had made no change in the server.xml and running tomcat in normal mode on win 2000 and working fine. Only the change in above web.xml is thet i used the standard user names and roles which are already present in tomcat-users.xml file.

Can sombody explain what is the actual problem with tomcat and XP. Is any changes required in the Firewall setting.

Thanks
 
Sushma Sharma
Ranch Hand
Posts: 139
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi,
I am using tomcat5.0.28 on a Windows Server 2003 and even after using -security option, I didn't get any authentication screen and now I don't know what to do? I haven't tried it with the standandard user name and roles, but I shell try that now.

Regards,

Sushma
 
Narendra Dhande
Ranch Hand
Posts: 951
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi,

This is the web.xml i tested.

<?xml version="1.0" encoding="UTF-8"?>

<web-app xmlns="http://java.sun.com/xml/ns/j2ee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd"
version="2.4">
<login-config>
<auth-method>BASIC</auth-method>
</login-config>
<security-constraint>
<web-resource-collection>
<web-resource-name>Protected </web-resource-name>
<url-pattern>*.jsp</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>tomcat</role-name>
</auth-constraint>
</security-constraint>
<security-role>
<role-name>tomcat</role-name>
</security-role>
<session-config>
<session-timeout>
30
</session-timeout>
</session-config>
<welcome-file-list>
<welcome-file>
index.jsp
</welcome-file>
</welcome-file-list>
</web-app>

for any jsp it show me the BASIC auth screen.

Thanks
 
Consider Paul's rocket mass heater.
reply
    Bookmark Topic Watch Topic
  • New Topic