• Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

form-based authentication

 
Bhavna Jharbade
Ranch Hand
Posts: 69
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
hi all
i want to implement form-based authentication in my web application.Referring to HFSJ chapter 12, i included the following in my DD
<security-role>
<role-name>tomcat</role-name>
<role-name>role1</role-name>
<role-name>manager</role-name>
<role-name>admin</role-name>
</security-role>

<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/loginPage.html</form-login-page>
<form-error-page>/loginError.html</form-error-page>
</form-login-config>
</login-config>

<security-constraint>

<web-resource-collection>
<web-resource-name>SecondServlet</web-resource-name>

<url-pattern>/com/ispl/*</url-pattern>

<http-method>POST</http-method>
</web-resource-collection>

<auth-constraint>
<role-name>tomcat</role-name>
</auth-constraint>

</security-constraint>
Also i included the 4 roles in th tomcat-users.xml file.What else is to be done???
 
Chandra Atla
Ranch Hand
Posts: 91
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
The action of the loginPage.html should be "j_security_check"

Also, the user name and password fields should be named as "j_username" and "j_password" respectively.

Thanks,
Chandra
 
Bhavna Jharbade
Ranch Hand
Posts: 69
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
hi chandra
thanx for the reply but i have already done that. but its still not working. Is there anything else to be done???
 
Narendra Dhande
Ranch Hand
Posts: 951
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi,

The security-role entries must be seperate sub-elements

<security-role>
<role-name>tomcat</role-name>
<role-name>role1</role-name>
<role-name>manager</role-name>
<role-name>admin</role-name>
</security-role>


This should be

<security-role>
<role-name>tomcat</role-name>
</security-role>
<security-role>
<role-name>role1</role-name>
</security-role>
<security-role>
<role-name>manager</role-name>
</security-role>
<security-role>
<role-name>admin</role-name>
</security-role>

Hope it helps you

Thanks
 
Narendra Dhande
Ranch Hand
Posts: 951
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi,

May I know the meaning of still not working. It must show atleast the log-on screen though the <security-role> entries are in-correct. Does is not accept the username/password and goning to error page or totally not showing the log-on screen ? Which version of tomcat you are using ?

thanks
 
Bhavna Jharbade
Ranch Hand
Posts: 69
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
hi Narendra,
Initially i wasnt getting the login page, but it was my mistake in mentioning the <url-pattern>. But now i corrected it so i am getting the login page atleast but when i enter the authorised username n password it gives me following error....
HTTP Status 405 - HTTP method GET is not supported by this URL

Though i havnt used Get in any of the jsp or servlet.
 
Chandra Atla
Ranch Hand
Posts: 91
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Please change the form method to POST and try.

For ex.

<form name=test method=POST action="j_security_check">

User Name : <input type=text name="j_username">
Password : <input type=text name="j_password">

</form>

Thanks,
Chandra
[ October 11, 2005: Message edited by: Chandra Atla ]
 
Narendra Dhande
Ranch Hand
Posts: 951
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi,

Hope you have made changes in <security-role> in DD and the login form html as suggested by Chandra. As the browser showing login form ( your html page) the auth mechnism is working correctly. Check your server log where it is throwing error. In the testing envorinment we usually make lot of changes in DD and there are multiple servelt / JSP are configured in the single DD for diff goal, so it is very difficult to analyse the problem. Try it to run as seperate application.

If the <url-pattern> defined in your application pointing to specific servlet/JSP make sure that define both get and post methods. When we type a UL in browser URL window it is GET request. But as per the security constraints defined in the DD only POST method can access the URL.

To make the testing simple remove the <http-method> from <web-resource-collection> and test it for all method.


Thanks

[ October 11, 2005: Message edited by: Narendra Dhande ]
[ October 11, 2005: Message edited by: Narendra Dhande ]
 
Bhavna Jharbade
Ranch Hand
Posts: 69
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Chandra n Narendra thanx for your help. My problem is solved i used a
doGet() in my servlet class n in it called the doPost(). Its working perfectly now.
Also Chandra it isnt necessary to write the <role-names> separatly in <security-roles>.

again thanx to u both for helping me out.
 
Narendra Dhande
Ranch Hand
Posts: 951
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Are you very sure that the auth mechanism is working perfectly without writing the <role-name> in <security-role> seperately. As per the DD it must be seperate. Are you getting the target servlet/JSP after authentication ?

Thanks
 
Bhavna Jharbade
Ranch Hand
Posts: 69
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Yes i am sure. you can also refer to HFSJ pg 632, ch 12.

thanks
 
Narendra Dhande
Ranch Hand
Posts: 951
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I am using tomcat 5.5 and netbean IDE. When I try to validate, it is showing me error in DD with composite entries of <security-role>. I do not have H&F book. As per the specification it should be seperate. I read somewhere in this forum about these entries in Erratta of H&F book that it should be seperate.

On my installation, it is showing log-in page and then can not authenticate the user/passwd if I use the <security-role> as you specified.

Thanks
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic