• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

Securing my web application on JBoss 5.1.0.GA

 
Ranch Hand
Posts: 650
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I'm working with a simple J2EE web application from a tutorial (EJB3, Servlet) and am learning how to secure the application using JAAS.

The problem I'm having is that I'm trying to indicate that a specific page must allow access only to users participating in a particular role.
I believe I must not be configuring the url-pattern properly. The page I'm trying to lock down is called "create_user.html", which is located in the root of my web application's WebContent directory. The page contains some data entry fields and a Submit button. The Submit button is associated with an HTML Form which has an action of "create_user". I see that in the application's servlet mapping that "/create_user" is mapped to the CreateUser servlet.

The result is that when I access the html page, I'm not asked for a password.

If I set the url-pattern to "/create_user", I am able to access the page, but get the authentication request when I post from the page to the servlet - which is too late. If I set the url-pattern to "/create_user.html", no authentication request happens at all. What am I doing wrong?

I have the following web.xml file:



Thank you for any help.
 
Mark E Hansen
Ranch Hand
Posts: 650
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
After more reading, I'm wondering if I misunderstood something. Does the <security-constraint> element in the web.xml file only apply to servlets within the web application, and not to simple HTML pages?

For reference, here is the segment from the web.xml file:


Is the <url-pattern> element applied only to servlets?

If so, how do I restrict access to an HTML page?

Thanks,
 
Mark E Hansen
Ranch Hand
Posts: 650
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Sorry to answer my own post. I was having a problem getting my head around it. I think I've figured it out, and wanted to post it here in case anyone else was looking for the same information - or in case I'm off-base and someone can correct me.

The <url-pattern> in the <web-resource-collection> under the <security-contraint> element can use file name patterns (such as *.html) or directory path patterns (such as /foo/bar/*) (to name just two). Because all my HTML files were in the root of the web application, I was limited to specifying either /* or *.html. Both of which applied the security restrictions to all HTML files, not just the one I wanted.

What I did was to move my restricted HTML page to a sub-directory in the web application, named "authorized". Then I created a <url-pattern> entry of:



With this, I'm able to access the other HTML pages in the application without authenticating, but an attempt to access the restricted HTML page results in an authentication challenge.

In reading the documentation, it seems that I should be able to create a <url-pattern> that will be matched exactly, but creating one like:



did not work. I'm not sure why.

Thanks,
 
Consider Paul's rocket mass heater.
reply
    Bookmark Topic Watch Topic
  • New Topic