action="j_security_check"

Hi,
I am trying to practice about security. In Form based authentication on action="j_security_check" I get

The requested resource (/Form_auth_method/j_security_check) is not available.

Isn't the target j_security_check provided by the application server?
<login-config> <auth-method>FORM</auth-method> <form-login-config> <form-login-page>/loginPage.html</form-login-page> <form-error-page>/loginError.html</form-error-page> </form-login-config> </login-config>
and I created a user, a password with an existing role in tomcat-users.xml .I it necessary to create the user in tomcat-users.xml?
Is there the necessity to configure the security-role on DD?I suppose i miss something...
Stefania

Hi Stefania,

Do you have a <security-constraint> in your web.xml? You can secure a Servlet with a <auth-constraint> using the role you used in your tomcat-users.xml.
Like:
<security-constraint> <web-resource-collection> <web-resource-name>SecureServlet</web-resource-name> <url-pattern>/StartServlet</url-pattern> <http-method>POST</http-method> <http-method>GET</http-method> </web-resource-collection> <auth-constraint> <role-name>user</role-name> </auth-constraint> </security-constraint>

and I created a user, a password with an existing role in tomcat-users.xml .I it necessary to create the user in tomcat-users.xml?

Yes, you need a user and role in the tomcat-users.xml

Is there the necessity to configure the security-role on DD?

Yes, you also need that (and you will use that role in the security-constraints <auth-constraint>)

Regards,
Frits

Hi Fritz,
thanks to your suggestion I wrote a <security-constraint>
<security-constraint> <web-resource-collection> <web-resource-name>Protected page</web-resource-name> <url-pattern>/protected-page.jsp</url-pattern> <http-method>POST</http-method> <http-method>GET</http-method> </web-resource-collection> <auth-constraint> <role-name>role1</role-name> </auth-constraint> </security-constraint>
on tomcat-users.xml I have more users with the role 'role1'
<user username="both" password="tomcat" roles="tomcat,role1"/> <user username="role1" password="tomcat" roles="role1"/> <user username="stefania" password="mare" roles="role1"/> <user username="natalina" password="golfino" roles="role1"/>
and despite writing on web.xml:

<security-role><role-name>role1</role-name></security-role>

I can access to protected-page.jsp only using username=role1 or username=both, using other usernames and passwords I get the error.jsp..I created a new role consultant on tomcat-users.xml, added the security-role and the role-name, but couldn't access the same the protected-page.jsp, I don't know why...
Thanks
Stefania

Hi Stefania,

It looks like the tomcat-users file you are changing is not the one for your web-application.

Are you using Eclipse with integrated tomcat server? If so, you should look for the tomcat-users.xml file in your server-definition.

Regards,
Frits

Hi Fritz,
you were right, I mixed up the tomcat-users.xml but now I added a new role to the right tomcat embeded into netbeans- old version 5.5.1- but it still doesn't work. It still works only for users with role="role1" that was already defined. Can I add rolenames to tomcat-users.xml?I also cannot understand why rolenames are not defined in tomcat but for example role1 works.
<tomcat-users> <role rolename="consultant"/> <user name="tomcat" password="tomcat" roles="tomcat" /> <user name="role1" password="tomcat" roles="role1" /> <user name="both" password="tomcat" roles="tomcat,role1" /> <user name="stefania" password="sera" roles="role1"/> <user name="natalina" password="golfino" roles="role1"/> <user name="francesco" password="francy" roles="consultant"/> </tomcat-users>
Shouldn't it be mandatory to define the rolenames for roles tomcat or role1 ?
Moreover on another IDE- netbeans 6.9.1 -I always get the the error page despite making the same configuration, working on 5.5.1 IDE.
No idea why...
Thank you once more
Stefania

Hi Stefania,

I haven't worked with NetBeans before, but I downloaded it and tried your setup on the newest NetBeans version. I got it working and I made a document with screenshots of how I did it.

Have a look at my setup:
Instruction Security NetBeans

(if you can't download the doc I am willing to email it)
Regards,
Frits

Hi Fritz,
I downloaded your document and I'll follow your instructions(next reply).
Thank you for your help, sometimes I think this exam is a neverending one, but this forum encourages me to continue with the next chapter...
Stefania

Hi Frits,
I followed the document step by step - do you think it is better not to write web.xml by hand?- and now on Netbeans 6.9.1 project SecurityExample I think to have the right configuration; I had a comment wrapping role entries -I didn't notice before, now I removed it but I get the error page regardless of the username and password I enter.Just for check I send the web.xml
<security-constraint> <display-name>Constraint1</display-name> <web-resource-collection> <web-resource-name>Protected page</web-resource-name> <description/> <url-pattern>/protected-page.jsp</url-pattern> </web-resource-collection> <auth-constraint> <description>auth</description> <role-name>role1</role-name> <role-name>consultant</role-name> <role-name>bla</role-name> </auth-constraint> </security-constraint> <login-config> <auth-method>FORM</auth-method> <realm-name>Example Form-Based Authentication Area</realm-name> <form-login-config> <form-login-page>/jsp/security/login.jsp</form-login-page> <form-error-page>/jsp/security/error.jsp</form-error-page> </form-login-config> </login-config> <security-role> <description/> <role-name>role1</role-name> </security-role> <security-role> <description/> <role-name>consultant</role-name> </security-role> <security-role> <description/> <role-name>bla</role-name> </security-role>

and tomcat-users.xml

<tomcat-users> <role rolename="tomcat"/> <role rolename="role1"/> <role rolename="consultant"/> <role rolename="user"/> <role rolename="bla"/> <user username="tomcat" password="tomcat" roles="tomcat"/> <user username="both" password="tomcat" roles="tomcat,role1"/> <user username="role1" password="tomcat" roles="role1"/> <user username="stefania" password="sera" roles="role1"/> <user username="francesco" password="francy" roles="consultant"/> </tomcat-users>
I think there is no apparent reason for this problem.I have two tomcat versions but on the IDE I use tomcat 6.0.26.
I'll try on the old 5.5.1 version IDE.
Thank you very much for your clear document.
Stefania

Hi Stefania,

I followed the document step by step - do you think it is better not to write web.xml by hand?

No, it is better to write the web.xml by hand and it is also better to create your .war file by hand. That way you know it should be done in the world without IDE's (have a look at the following topic War by hand)

I verified your settings with mine and they are exactly the same. The only difference is the version of tomcat (5.5 vs 6.0). Have a look if that was the problem, otherwise try to follow the War by hand instruction and deploy it on the tomcat5.5 server. This should work

Just to be sure it is not the problem of the URL: what is the URL you are typing in? You are getting to the login.jsp, right?

Regards,
Frits

Hi Frits,
at last I solved the mistery of the lost security!Unfortunatly it was not a true mistery, only the sum of my mistakes.I changed tomcat-users.xml once on catalina base once on catalina home, moreover on catalina base I had another comment wrapping role entries.Now I made all the changes on catalina base and everything works on both IDE versions.On the subject of these two system properties, I have only catalina_home between my environment variables, shouldn't I make a variable catalina_base?
Morever, is it right this definition I found on the web?
"The presence of those two properties is required only when you want to use multiple instances of Tomcat without having to install the software multiple times, and not wasting disk space.
The first properties (catalina.home) points to the location of the common information, while the other property (catalina.base) points to the directory where all the instance specific information are held."
If I'm using only one instance of tomcat inside the IDE, why changes on catalina_home didn't work?Why Netbeans IDE looks into the base directory by default?
Probably I'm still mixing it up???
Thanks
Ciao
Stefania

Hi Stefania,

at last I solved the mistery of the lost security!

Congratulations

I have only catalina_home between my environment variables, shouldn't I make a variable catalina_base?

I have never used the variable catalina_base so I can't advise you here...

Anyway, problem solved!

Regards,
Frits