Win a copy of The Little Book of Impediments (e-book only) this week in the Agile and Other Processes forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

Secure Servlet problem

 
Derek Zeng
Greenhorn
Posts: 16
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
In the web.xml file, I set <role-name> in <auth-constraint> to "*".
But it still comes out 403 error.
The following are the codes.
What is the problem? Please help me.

web.xml:
<web-app version="2.4" xmlns="http://java.sun.com/xml/ns/j2ee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee
http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd">

<servlet>
<servlet-name>CheckedServlet</servlet-name>
<servlet-class>webcert.ch05.ex0502.CheckedServlet</servlet-class>
<security-role-ref>
<role-name>MGR</role-name>
<role-link>manager</role-link>
</security-role-ref>
</servlet>
<servlet-mapping>
<servlet-name>CheckedServlet</servlet-name>
<url-pattern>/CheckedServlet</url-pattern>
</servlet-mapping>

<security-constraint>
<web-resource-collection>
<web-resource-name>TheCheckedServlet</web-resource-name>
<url-pattern>/CheckedServlet</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>*</role-name>
</auth-constraint>
</security-constraint>

<security-role>
<role-name>manager</role-name>
</security-role>

</web-app>
 
Manikandan Jayaraman
Ranch Hand
Posts: 230
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
403 status shows forbidden state. Auth constraint with a role-name *, will make the resource constrained for all users.

You have given less information regarding your problem. How did you access the resource, what all methods your servlet supports. Did you authenticate before you tried to access your resource?

Can you explain your flow?
 
Derek Zeng
Greenhorn
Posts: 16
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I am using Windows and Tomcat.
I access the resource by the following URL: http://localhost:8080/ex0502/CheckedServlet.
The CheckedServlet.java is just some simple codes to do test.
It supports doGet() & doPost() methods.
If the web.xml changes to the following codes, it works fine.

<web-app version="2.4" xmlns="http://java.sun.com/xml/ns/j2ee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee
http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd">

<servlet>
<servlet-name>CheckedServlet</servlet-name>
<servlet-class>webcert.ch05.ex0502.CheckedServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>CheckedServlet</servlet-name>
<url-pattern>/CheckedServlet</url-pattern>
</servlet-mapping>

How can I authenticate?
 
Bob CHOI
Ranch Hand
Posts: 127
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
- Did the servlet intend to send 403?
- If not, restart the browser you'll get through, "*" means all user roles are allowed to gain access to those resources you mean.
- add declaratives below to web.xml, then authentication will pop up

[ January 14, 2007: Message edited by: Bob CHOI ]
 
Manikandan Jayaraman
Ranch Hand
Posts: 230
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi,

There is a basic confusion here .... Security Constraint is NOT ABOUT ALLOWING ACCESS ... it is about CONSTRAINING ACCESS ....

When you say "*", you mean that you restrict all roles from accessing the resource. So you have to go through authentication.

If you want to allow all resources, then remove the security-constraint.
 
Bob CHOI
Ranch Hand
Posts: 127
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
except from servlet spec p143 $17

"The auth-constraint indicates the user roles that should be permitted access to this resource collection."
 
Derek Zeng
Greenhorn
Posts: 16
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I removed the following codes, it works.
I am confused the "*".
Thanks Manikandan!

<auth-constraint>
<role-name>*</role-name>
</auth-constraint>
 
Bob CHOI
Ranch Hand
Posts: 127
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
if security mechanism is concerned simply with authentication(A) and authorization(A), the scenarioes below demostrate how the basics work.

assumption:

- client access to "hello.jsp" is required to be AAed
- hello.jsp is located under web app root "myapp"
- Tomcat has created a few default user-password-role mapping, we'll use the one "tomcat-tomcat-tomcat"

hello.jsp:



web.xml config-1:



call flow:

1. client requesting http://localhost/myapp/hello.jsp
2. server asking for authentication
3. client popping up authentication window
4. user typing "tomcat", "tomcat"
5. client requesting http://localhost/myapp/hello.jsp with encoded authentication info
6. server verifying and authorizing the access
7. "hello tomcat" returning to client

web.xml config-2: use "*" for permitting all roles

 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic