• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Tim Cooke
  • paul wheaton
  • Liutauras Vilda
  • Ron McLeod
Sheriffs:
  • Jeanne Boyarsky
  • Devaka Cooray
  • Paul Clapham
Saloon Keepers:
  • Scott Selikoff
  • Tim Holloway
  • Piet Souris
  • Mikalai Zaikin
  • Frits Walraven
Bartenders:
  • Stephan van Hulst
  • Carey Brown

Authentication with JDBC Realms and MVC pattern (Controller servlet)

 
Greenhorn
Posts: 4
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hello, I am developing a web application using the MVC pattern and I try to use to athenticate with JDBC Realms. My problem is that using this athentication method with a Controller servlet that forwards requests to a proper jsp page don�t works.
I don�t know to do. If someone know how I have to do to athenticate using a Controller servlet (I�m not using Struts).
I will explain with more detail:
I have a Controller servlet that receive all requests to others pages. This servlet must authenticate the user and if the user is athenticated forward to the proper protected page, else forward to a login page. I am using JDBC Realms to protect the folders that contains the pages must be accesed under authentication. the problem is that the servlet use the method forward(request, response) that jumps the security-contraint and it accessed to the protected pages. I don�t know hot to use the JDBC Realms with the Controller Servlet.
 
Ranch Hand
Posts: 3244
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Oscar
Welcome to the Java Ranch, we hope you�ll enjoy visiting as a regular however,
your name is not in keeping with our naming policy here at the ranch. Please change your display name to an appropriate name as shown in the policy.
Thanks again and we hope to see you around the ranch!!

As far as using Realms in your web app, some of it is server specific. Let us see your web.xml file to make sure there is nothing wrong there. If that isn't the case, you might want to try one fo the servers forums or the documentation for the server you're using.
 
Rancher
Posts: 13459
Android Eclipse IDE Ubuntu
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Originally posted by Oscar:
I have a Controller servlet that receive all requests to others pages. This servlet must authenticate the user and if the user is athenticated forward to the proper protected page, else forward to a login page. I am using JDBC Realms to protect the folders that contains the pages must be accesed under authentication. the problem is that the servlet use the method forward(request, response) that jumps the security-contraint and it accessed to the protected pages. I don�t know hot to use the JDBC Realms with the Controller Servlet.


Yeah, you'll have some trouble with this.
The easiest solution it to have two Front Servlets instead of one. The first manages non-secured pages and the second manages secured pages.
The second servlet will have to be in the secured directory with the other secured resources. The non-secured servlet will still control the login (since the login page can't secured otherwise you wouldn't be allowed to pass it to them) and will redirect to the secured servlet after the user is authenticated.
If you are using Struts you might be in trouble. I haven't used truts but I believe it flattens the directory structure. This will tend to remove the fact that you have secured a directory and make it difficult to distinguish between secured and non-secured resources.
Or not. I'm happy to be wrong.
--------------------
(Other) Dave
Just because you're paranoid doesn't mean I'm not after you.
 
Oscar Arnaiz
Greenhorn
Posts: 4
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
First of all, I apologize for post the same question in two different forums, but I new in JavaRanch and I don�t know how it works. Sorry.
I am using Tomcat 3.2.4. The method that I use to go from a page to another is by means of a Controller servlet and a hidden type input named "page" that represents the next page to go. That parameter is received for the Controller servlet and it converts to the real URL with: nextPage = getInitParam(request.getParameter("page"));
For example, a web.xml for a simple application where the adminPage.jsp is protected:
<web-app>
<servlet>
<servlet-name>Controller</servlet-name>
<display-name>Controller</display-name>
<servlet-class>Controller</servlet-class>
<init-param>
<param-name>Index</param-name>
<param-value>index.htm</param-value>
</init-param>
<init-param>
<param-name>AdminPage</param-name>
<param-value>/admin/adminPage.htm</param-value>
</init-param>
<init-param>
<param-name>UnprotectedPage</param-name>
<param-value>unprotectedPage.htm</param-value>
</init-param>

</servlet>
<security-constraint>
<web-resource-collection>
<web-resource-name>tools-admin</web-resource-name>
<url-pattern>/admin/*</url-pattern>
<http-method>POST</http-method>
<http-method>GET</http-method>
<http-method>DELETE</http-method>
<http-method>PUT</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>admin</role-name>
</auth-constraint>
</security-constraint>

<login-config>
<auth-method>FORM</auth-method>
<realm-name>ProtectedArea</realm-name>
<form-login-config>
<form-login-page>/security/login.jsp</form-login-page>
<form-error-page>/security/loginerror.jsp</form-error-page>
</form-login-config>
</login-config>
<security-role>
<role-name>admin</role-name>
</security-role>

</web-app>
From Index page to access to admin page the paramater "page" is equal to "AdminPage". The Controller servlet jumps the login page ang go to admin page without athentication. Must I put the servlet in protected area? I am using JDBC Realm wiht three tables for authentication (Login, Roles, Role-Login).
 
Ranch Hand
Posts: 580
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Originally posted by Oscar:
Hello, I am developing a web application using the MVC pattern and I try to use to athenticate with JDBC Realms. My problem is that using this athentication method with a Controller servlet that forwards requests to a proper jsp page don�t works.
I don�t know to do. If someone know how I have to do to athenticate using a Controller servlet (I�m not using Struts).
I will explain with more detail:
I have a Controller servlet that receive all requests to others pages. This servlet must authenticate the user and if the user is athenticated forward to the proper protected page, else forward to a login page. I am using JDBC Realms to protect the folders that contains the pages must be accesed under authentication. the problem is that the servlet use the method forward(request, response) that jumps the security-contraint and it accessed to the protected pages. I don�t know hot to use the JDBC Realms with the Controller Servlet.


You can achieve this by using a URL mapping strategy in your controller servlet. Let's use Struts as an example. You map URLs to your action classes using the struts-config.xml file. So, you use different URLs to access the same servlet instance (the ActionServlet) by way of extension mapping (*.do). Now, in your web.xml file, you can apply different security settings to the different URLs in your web application. The key is that you have to use the URL itself to tell you which page to forward to (in your case). Hope this helps (it's early).
 
I am not a spy. Definitely. Definitely not a spy. Not me. No way. But this tiny ad ...
Smokeless wood heat with a rocket mass heater
https://woodheat.net
reply
    Bookmark Topic Watch Topic
  • New Topic