Win a copy of Kotlin in Action this week in the Kotlin forum!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic

Security Problem with my app  RSS feed

 
Arnab Sinha
Ranch Hand
Posts: 72
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi All, I am studying the security chapter on HFSJ, and trying to do a simple secured web app. Basically i have 2 jsp's constrained. So when i type the following I expect the login page to appear. But its not happening.

1. In browser I type http://localhost:8080/ari/welcome.jsp
Result - HTTP Status 404 - /ari/welcome.jsp (Resource not available)
I assure you that this file does exist right under <TomCatHome>/webapps/ari/ folder.

2.Here is what I have in my DD.

<security-constraint>
<web-resource-collection>
<web-resource-name>ARI</web-resource-name>
<url-pattern>/ari/*.jsp</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>manager</role-name>
<role-name>admin</role-name>
</auth-constraint>
</security-constraint>

3. Here is my login-config setup in the DD.

<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/login.jsp</form-login-page>
<form-error-page>/login_error.jsp</form-error-page>
</form-login-config>
</login-config>

4. In the book it reminds you to turn Session tracking or SSL on. But I am not sure if thats the problem. It might be after the login.jsp contents are displayed, and the container authenticates the information.

Not sure, why the container is not forwarding to the login.jsp, when it find that the accessed resource is a security constrained resource.

Any help will be appreciated and will clear my concept.

Thanks
Arnab

[ August 12, 2007: Message edited by: Arnab Sinha ]
[ August 12, 2007: Message edited by: Bear Bibeault ]
 
Bear Bibeault
Author and ninkuma
Marshal
Posts: 66182
146
IntelliJ IDE Java jQuery Mac Mac OS X
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Basic debugging step #1: If you take away all the security goop, does the page display?
 
Arnab Sinha
Ranch Hand
Posts: 72
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Originally posted by Bear Bibeault:
Basic debugging step #1: If you take away all the security goop, does the page display?


Yes it does. Any other ideas?
 
Michael Ku
Ranch Hand
Posts: 510
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
try changing <url-pattern>/ari/*.jsp</url-pattern>

to <url-pattern>/*.jsp</url-pattern>
 
Arnab Sinha
Ranch Hand
Posts: 72
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I figured it out. The problem was with my url pattern. Need to go over that section again I guess.

However if you guys could help me understand. My app has slightly changed.
I have 3 jsp's. Default.jsp, beerSelect.jsp and beerResult.jsp. My intention is to constrain both the beer jsp's.

So initially i had it setup like this

<url-pattern>/beer*.jsp</url-pattern>. This restricted all the jsps. So when I changed it to:
<url-pattern>/beerSelect.jsp</url-pattern> it worked, and popped up the login page.

I thought the first should have worked too.

Thanks all for replying
[ August 12, 2007: Message edited by: Arnab Sinha ]
 
Michael Ku
Ranch Hand
Posts: 510
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
why not put the beer jsps under a beer directory and then constrain them by
<url-pattern>/beer/*</url-pattern>
 
Arnab Sinha
Ranch Hand
Posts: 72
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Originally posted by Michael Ku:
why not put the beer jsps under a beer directory and then constrain them by
<url-pattern>/beer/*</url-pattern>


Good Idea!! Thanks Mike.
 
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!