• Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

<auth-constraint> in web.xml

 
Shashank Sharma
Ranch Hand
Posts: 91
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hello,
I am reading through web app security of HFJS I could add an constraint for certain url pattern through <security-constraint> tags in DD.So it would restrict me to request a constraint resource.
I am not able to understand how the user roles of apache tomcat will authorize the request.We can login to one for the tomcat account to manage the app and check the active session for the app..but it does not allows me acces a constraint resourse if I am logged in as a admin too.
>auth-constraint> lists roles which can do a Get or a Post request.
I have >auth-constraint> as


Can Anyone please explain how this authorization is done.
Thanks ..
 
Shashank Sharma
Ranch Hand
Posts: 91
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
moving on..


These are the username and role mapping in tomcat-user.xml file

and I am trying to use form authorization as

on using user name and password as above it always get redirected to the login Error page.
the web xml is as under.




 
Frits Walraven
Creator of Enthuware JWS+ V6
Saloon Keeper
Pie
Posts: 2419
95
Android Chrome Eclipse IDE
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
just remove the <user-data-constraint> as it requires you to setup the https port on tomcat and try again.

Regards,
Frits
 
Shashank Sharma
Ranch Hand
Posts: 91
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hello,

Thanks you for your response.
I have tried that. it redirects the page to the login error page.
It means it is not able to match the username password specified in the tomcat-users.xml with the ones that I am passing on the login page.
And am using login config which specifies the login page for authentication and an errorPage if incorrect authentication information is passed .

but what it is supposed to do If the credentials are correct.
I could answer most of the question at the end of the chapter.but that is no use unless I am able to implement the security constraints.
Frits It would be great If you could explain a bit on the constraint part which I am not able to get through the book.


Thanks .
 
Frits Walraven
Creator of Enthuware JWS+ V6
Saloon Keeper
Pie
Posts: 2419
95
Android Chrome Eclipse IDE
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I have tried that. it redirects the page to the login error page.

What is the URL you are using?

but what it is supposed to do If the credentials are correct.

If the credentials are correct you should let the user access your "protected" servlets. This is part of Authorisation, whereas checking the credentials is part of Authentication.

In other words: Authentication is: "do I (as a server) know you": if not, go and play somewhere else...
and Authorisation is about: if I know you, what parts of the application are you allowed to access

You configure Authentication with the <login-config> element and Authorization with the <security-constraint> element. The roles playing part in your web-app should be configured in the <security-role> element (which I am not seeing in your web.xml....) and the user-to-role mapping is Servlet-container specific and for tomcat done in tomcat-users.xml file (like you did)

Your web.xml has a <security-constraint> on <url-pattern>*.do</url-pattern> which maps to the Test001 Servlet, meaning all the URLs starting with http://localhost:8080/YourWebAppRoot/ and ending with .do, so for example:
http://localhost:8080/YourWebAppRoot/Test001.do should go to your Servlet com.Test001 (as you have defined in your web.xml)

Does this explain things a bit? If you are still having problems with the code example, just post the rest of your code (your web app root, and the directory structure of your web-app)


Regards,
Frits
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic