Forums Register Login

<auth-constraint> in web.xml

+Pie Number of slices to send: Send
Hello,
I am reading through web app security of HFJS I could add an constraint for certain url pattern through <security-constraint> tags in DD.So it would restrict me to request a constraint resource.
I am not able to understand how the user roles of apache tomcat will authorize the request.We can login to one for the tomcat account to manage the app and check the active session for the app..but it does not allows me acces a constraint resourse if I am logged in as a admin too.
>auth-constraint> lists roles which can do a Get or a Post request.
I have >auth-constraint> as


Can Anyone please explain how this authorization is done.
Thanks ..
+Pie Number of slices to send: Send
moving on..


These are the username and role mapping in tomcat-user.xml file

and I am trying to use form authorization as

on using user name and password as above it always get redirected to the login Error page.
the web xml is as under.




+Pie Number of slices to send: Send
just remove the <user-data-constraint> as it requires you to setup the https port on tomcat and try again.

Regards,
Frits
+Pie Number of slices to send: Send
Hello,

Thanks you for your response.
I have tried that. it redirects the page to the login error page.
It means it is not able to match the username password specified in the tomcat-users.xml with the ones that I am passing on the login page.
And am using login config which specifies the login page for authentication and an errorPage if incorrect authentication information is passed .

but what it is supposed to do If the credentials are correct.
I could answer most of the question at the end of the chapter.but that is no use unless I am able to implement the security constraints.
Frits It would be great If you could explain a bit on the constraint part which I am not able to get through the book.


Thanks .
+Pie Number of slices to send: Send
 

I have tried that. it redirects the page to the login error page.


What is the URL you are using?

but what it is supposed to do If the credentials are correct.


If the credentials are correct you should let the user access your "protected" servlets. This is part of Authorisation, whereas checking the credentials is part of Authentication.

In other words: Authentication is: "do I (as a server) know you": if not, go and play somewhere else...
and Authorisation is about: if I know you, what parts of the application are you allowed to access

You configure Authentication with the <login-config> element and Authorization with the <security-constraint> element. The roles playing part in your web-app should be configured in the <security-role> element (which I am not seeing in your web.xml....) and the user-to-role mapping is Servlet-container specific and for tomcat done in tomcat-users.xml file (like you did)

Your web.xml has a <security-constraint> on <url-pattern>*.do</url-pattern> which maps to the Test001 Servlet, meaning all the URLs starting with http://localhost:8080/YourWebAppRoot/ and ending with .do, so for example:
http://localhost:8080/YourWebAppRoot/Test001.do should go to your Servlet com.Test001 (as you have defined in your web.xml)

Does this explain things a bit? If you are still having problems with the code example, just post the rest of your code (your web app root, and the directory structure of your web-app)


Regards,
Frits
permaculture is a more symbiotic relationship with nature so I can be even lazier. Read tiny ad:
a bit of art, as a gift, that will fit in a stocking
https://gardener-gift.com


reply
reply
This thread has been viewed 4701 times.
Similar Threads
Problem While Enabling Authentication
security-role
Roles and access Servlets, Jsp in Tomcat
Using ROLES defined in a database in th DD
declarative authorization not working
More...

All times above are in ranch (not your local) time.
The current ranch time is
Mar 29, 2024 03:07:20.