Win a copy of Event Streams in Action this week in the Java in General forum!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Devaka Cooray
  • Liutauras Vilda
  • Jeanne Boyarsky
  • Bear Bibeault
Sheriffs:
  • Paul Clapham
  • Knute Snortum
  • Rob Spoor
Saloon Keepers:
  • Tim Moores
  • Ron McLeod
  • Piet Souris
  • Stephan van Hulst
  • Carey Brown
Bartenders:
  • Tim Holloway
  • Frits Walraven
  • Ganesh Patekar

Declarative Security with Java EE (Glassfish)

 
Ranch Hand
Posts: 64
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I want a simple example of a secured folder of a JSP application. The folder named "admin" should be accessed only by a user named "verwalter" (I dont use the user named "admin" as there ist already such a user in Glassfish).

I program an app with an index.jsp. There is a link to the a subfolder admin to the file adminSeite.html. Besides the index.jsp there are login.jsp and error.jsp. login jsp has the following form in it:




error.jsp tells if entry fails.

In the Glassfish-Console (localhost:4848) I declare a user "verwalter" with password "verwalter" in the realm "file". I create a group "verwalterGruppe" with a random name. Here it is not possible to assign the user to a role (although some EE tutorials say that roles are defined in Glassfish)

web.xml: Definition of roles (to my opinion) and resources (paths):



sun-web.xml: mapping role defined in web.xml to user and group defined in admin console of glassfish.

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE sun-web-app PUBLIC "-//Sun Microsystems, Inc.//DTD GlassFish Application Server 3.0 Servlet 3.0//EN" "http://www.sun.com/software/appserver/dtds/sun-web-app_3_0-0.dtd">
<sun-web-app error-url="">
<context-root>/VerzeichnisSchutz</context-root>
<security-role-mapping>
<role-name>adminRolle</role-name>
<principal-name>verwalter</principal-name>
<group-name>verwalterGruppe</group-name>
</security-role-mapping>
<class-loader delegate="true"/>
<jsp-config>
<property name="keepgenerated" value="true">
<description>Keep a copy of the generated servlet class' java code.</description>
</property>
</jsp-config>
</sun-web-app>

If I want to run the app, I cannot login with user verwalter and pass verwalter. The indicated url is:

http://localhost:8080/VerzeichnisSchutz/admin/j_security_chek

I am not sure about the definition of roles and resouces. Are roles defined in web.xml, or are there predifined roles in Glassfish (admin and user), as many tutorials suggest? My I name resources deliberately?

Somebody can help me?

 
Terence Gronowski
Ranch Hand
Posts: 64
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Is there nobody using Java EE6 declarative security? Is there anybody who works with Netbeans 6.9.1?

In the meantime I think that the non functionning of Declarative Security does not work in Netbeans 6.9.1.

I will report a bug.

Netbeans is a very cool tool, if only these many errors would not be!!!
 
Terence Gronowski
Ranch Hand
Posts: 64
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I at last found the error. The form I used hat a small error.

<form action="j_security_check" method="post">
Username: <input type="text" name="j_username">

Passwort: <input type="password" name="j_password">
<input type="submit" value="Login">
</form>

I just had "value="submit", that was fatal.

Second I suppose that the role name must be written with a first big letter.

web.xml

<?xml version="1.0" encoding="UTF-8"?>
<web-app version="3.0" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd">
<session-config>
<session-timeout>
30
</session-timeout>
</session-config>
<security-constraint>
<display-name>AdminDisplay</display-name>
<web-resource-collection>
<web-resource-name>WebResource</web-resource-name>
<description/>
<url-pattern>/verwaltungsOrdner/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<description>ConstraintBeschreibung</description>
<role-name>AdminRolle</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<realm-name>file</realm-name>
<form-login-config>
<form-login-page>/login.jsp</form-login-page>
<form-error-page>/loginFehler.html</form-error-page>
</form-login-config>
</login-config>
<security-role>
<description/>
<role-name>AdminRolle</role-name>
</security-role>
</web-app>

and sun-web.xml

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE sun-web-app PUBLIC "-//Sun Microsystems, Inc.//DTD GlassFish Application Server 3.0 Servlet 3.0//EN" "http://www.sun.com/software/appserver/dtds/sun-web-app_3_0-0.dtd">
<sun-web-app error-url="">
<context-root>/Schutz_1</context-root>
<security-role-mapping>
<role-name>AdminRolle</role-name>
<principal-name>verwalter</principal-name>
</security-role-mapping>
<class-loader delegate="true"/>
<jsp-config>
<property name="keepgenerated" value="true">
<description>Keep a copy of the generated servlet class' java code.</description>
</property>
</jsp-config>
</sun-web-app>

It was annoiing to find the error, because there were no error messages.
 
Terence Gronowski
Ranch Hand
Posts: 64
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
(sorry, I forgot to format code above)
I at last found the error. The form I used hat a small error.



I just had "value="submit", that was fatal.

Second I suppose that the role name must be written with a first big letter.

web.xml



and sun-web.xml



It was annoiing to find the error, because there were no error messages.
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!