Secure Servlet problem

In the web.xml file, I set <role-name> in <auth-constraint> to "*".
But it still comes out 403 error.
The following are the codes.
What is the problem? Please help me.

web.xml:
<web-app version="2.4" xmlns="http://java.sun.com/xml/ns/j2ee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee
http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd">

<servlet>
<servlet-name>CheckedServlet</servlet-name>
<servlet-class>webcert.ch05.ex0502.CheckedServlet</servlet-class>
<security-role-ref>
<role-name>MGR</role-name>
<role-link>manager</role-link>
</security-role-ref>
</servlet>
<servlet-mapping>
<servlet-name>CheckedServlet</servlet-name>
<url-pattern>/CheckedServlet</url-pattern>
</servlet-mapping>

<security-constraint>
<web-resource-collection>
<web-resource-name>TheCheckedServlet</web-resource-name>
<url-pattern>/CheckedServlet</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>*</role-name>
</auth-constraint>
</security-constraint>

<security-role>
<role-name>manager</role-name>
</security-role>

</web-app>

403 status shows forbidden state. Auth constraint with a role-name *, will make the resource constrained for all users.

You have given less information regarding your problem. How did you access the resource, what all methods your servlet supports. Did you authenticate before you tried to access your resource?

Can you explain your flow?

I am using Windows and Tomcat.
I access the resource by the following URL: http://localhost:8080/ex0502/CheckedServlet.
The CheckedServlet.java is just some simple codes to do test.
It supports doGet() & doPost() methods.
If the web.xml changes to the following codes, it works fine.

<web-app version="2.4" xmlns="http://java.sun.com/xml/ns/j2ee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee
http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd">

<servlet>
<servlet-name>CheckedServlet</servlet-name>
<servlet-class>webcert.ch05.ex0502.CheckedServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>CheckedServlet</servlet-name>
<url-pattern>/CheckedServlet</url-pattern>
</servlet-mapping>

How can I authenticate?

- Did the servlet intend to send 403?
- If not, restart the browser you'll get through, "*" means all user roles are allowed to gain access to those resources you mean.
- add declaratives below to web.xml, then authentication will pop up
<login-config> <auth-method>BASIC</auth-method> </login-config>
[ January 14, 2007: Message edited by: Bob CHOI ]

Hi,

There is a basic confusion here .... Security Constraint is NOT ABOUT ALLOWING ACCESS ... it is about CONSTRAINING ACCESS ....

When you say "*", you mean that you restrict all roles from accessing the resource. So you have to go through authentication.

If you want to allow all resources, then remove the security-constraint.

except from servlet spec p143 $17

"The auth-constraint indicates the user roles that should be permitted access to this resource collection."

I removed the following codes, it works.
I am confused the "*".
Thanks Manikandan!

<auth-constraint>
<role-name>*</role-name>
</auth-constraint>

if security mechanism is concerned simply with authentication(A) and authorization(A), the scenarioes below demostrate how the basics work.

assumption:

- client access to "hello.jsp" is required to be AAed
- hello.jsp is located under web app root "myapp"
- Tomcat has created a few default user-password-role mapping, we'll use the one "tomcat-tomcat-tomcat"

hello.jsp:

hello <%= request.getRemoteUser() %>

web.xml config-1:

<?xml version="1.0" encoding="ISO-8859-1"?> <web-app version="2.4" xmlns="http://java.sun.com/xml/ns/j2ee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee <a href="http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd"" target="_blank" rel="nofollow">http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd"</a> > <security-constraint> <web-resource-collection> <web-resource-name>my-dmz</web-resource-name> <url-pattern>/hello.jsp</url-pattern> </web-resource-collection> [B]<auth-constraint> <role-name>tomcat</role-name> </auth-constraint>[/B] </security-constraint> <login-config> <auth-method>BASIC</auth-method> </login-config> </web-app>

call flow:

1. client requesting http://localhost/myapp/hello.jsp
2. server asking for authentication
3. client popping up authentication window
4. user typing "tomcat", "tomcat"
5. client requesting http://localhost/myapp/hello.jsp with encoded authentication info
6. server verifying and authorizing the access
7. "hello tomcat" returning to client

web.xml config-2: use "*" for permitting all roles

<auth-constraint> <role-name>*</role-name> </auth-constraint>