Win a copy of The Java Performance Companion this week in the Performance forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

Declarative Security with Java EE (Glassfish)

 
Terence Gronowski
Ranch Hand
Posts: 64
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I want a simple example of a secured folder of a JSP application. The folder named "admin" should be accessed only by a user named "verwalter" (I dont use the user named "admin" as there ist already such a user in Glassfish).

I program an app with an index.jsp. There is a link to the a subfolder admin to the file adminSeite.html. Besides the index.jsp there are login.jsp and error.jsp. login jsp has the following form in it:




error.jsp tells if entry fails.

In the Glassfish-Console (localhost:4848) I declare a user "verwalter" with password "verwalter" in the realm "file". I create a group "verwalterGruppe" with a random name. Here it is not possible to assign the user to a role (although some EE tutorials say that roles are defined in Glassfish)

web.xml: Definition of roles (to my opinion) and resources (paths):



sun-web.xml: mapping role defined in web.xml to user and group defined in admin console of glassfish.

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE sun-web-app PUBLIC "-//Sun Microsystems, Inc.//DTD GlassFish Application Server 3.0 Servlet 3.0//EN" "http://www.sun.com/software/appserver/dtds/sun-web-app_3_0-0.dtd">
<sun-web-app error-url="">
<context-root>/VerzeichnisSchutz</context-root>
<security-role-mapping>
<role-name>adminRolle</role-name>
<principal-name>verwalter</principal-name>
<group-name>verwalterGruppe</group-name>
</security-role-mapping>
<class-loader delegate="true"/>
<jsp-config>
<property name="keepgenerated" value="true">
<description>Keep a copy of the generated servlet class' java code.</description>
</property>
</jsp-config>
</sun-web-app>

If I want to run the app, I cannot login with user verwalter and pass verwalter. The indicated url is:

http://localhost:8080/VerzeichnisSchutz/admin/j_security_chek

I am not sure about the definition of roles and resouces. Are roles defined in web.xml, or are there predifined roles in Glassfish (admin and user), as many tutorials suggest? My I name resources deliberately?

Somebody can help me?

 
Terence Gronowski
Ranch Hand
Posts: 64
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Is there nobody using Java EE6 declarative security? Is there anybody who works with Netbeans 6.9.1?

In the meantime I think that the non functionning of Declarative Security does not work in Netbeans 6.9.1.

I will report a bug.

Netbeans is a very cool tool, if only these many errors would not be!!!
 
Terence Gronowski
Ranch Hand
Posts: 64
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I at last found the error. The form I used hat a small error.

<form action="j_security_check" method="post">
Username: <input type="text" name="j_username">

Passwort: <input type="password" name="j_password">
<input type="submit" value="Login">
</form>

I just had "value="submit", that was fatal.

Second I suppose that the role name must be written with a first big letter.

web.xml

<?xml version="1.0" encoding="UTF-8"?>
<web-app version="3.0" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd">
<session-config>
<session-timeout>
30
</session-timeout>
</session-config>
<security-constraint>
<display-name>AdminDisplay</display-name>
<web-resource-collection>
<web-resource-name>WebResource</web-resource-name>
<description/>
<url-pattern>/verwaltungsOrdner/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<description>ConstraintBeschreibung</description>
<role-name>AdminRolle</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<realm-name>file</realm-name>
<form-login-config>
<form-login-page>/login.jsp</form-login-page>
<form-error-page>/loginFehler.html</form-error-page>
</form-login-config>
</login-config>
<security-role>
<description/>
<role-name>AdminRolle</role-name>
</security-role>
</web-app>

and sun-web.xml

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE sun-web-app PUBLIC "-//Sun Microsystems, Inc.//DTD GlassFish Application Server 3.0 Servlet 3.0//EN" "http://www.sun.com/software/appserver/dtds/sun-web-app_3_0-0.dtd">
<sun-web-app error-url="">
<context-root>/Schutz_1</context-root>
<security-role-mapping>
<role-name>AdminRolle</role-name>
<principal-name>verwalter</principal-name>
</security-role-mapping>
<class-loader delegate="true"/>
<jsp-config>
<property name="keepgenerated" value="true">
<description>Keep a copy of the generated servlet class' java code.</description>
</property>
</jsp-config>
</sun-web-app>

It was annoiing to find the error, because there were no error messages.
 
Terence Gronowski
Ranch Hand
Posts: 64
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
(sorry, I forgot to format code above)
I at last found the error. The form I used hat a small error.



I just had "value="submit", that was fatal.

Second I suppose that the role name must be written with a first big letter.

web.xml



and sun-web.xml



It was annoiing to find the error, because there were no error messages.
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic