• Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

BASIC Authentication and SSL configuration failed in Tomcat 6.0

 
Anthony D'Souz
Ranch Hand
Posts: 65
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi Folks,

The application is a simple JSP/Servlet application.I want to perform a user authentication (using BASIC Authentication) and if the user is authenticated, then I will redirect them to the home screen using SSL (i.e. https). The BASIC Authentication has to be performed on clicking a button. I have added the roles along with their username and password in the tomcat-users.xml, hence no need for Realm as of now.

For achieveing this; initially I configured the BASIC Authentication in my web.xml like this:

The user BASIC Authentcation part of the code works perfectly (the popup dialog appears asking for the username and password and it works fine)

Then I configured SSL by following the following steps:

1) Generated a Keystore using keytool 2) Added the below entry in the server.xml:

3) Added this in web.xml inside the

On running the application, below are the issues I have with it:

1) On clicking the button (for which the BASIC authentication has to be performed), the dialog for authentication did not appeared (which appears for BASIC Authentication asking for username and password)

2) I was redirected to a link with https (yes the https appeared in the url) with GET and the doGet() method of the servlet gets executed which is incorrect since the submit button form is like this, henc the doPost method should be executed rather than the doGet:

Please let me know where are the issues and how to resolve it to achieve what I am expecting.
Thanks,
 
Tim Holloway
Saloon Keeper
Posts: 18300
56
Android Eclipse IDE Linux
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
You misunderstand how J2EE applies security. You cannot "click a button" to force login. Login is automatically invoked ANY time the user is not logged in (authenticated) and requests a secured URL. That prevents the very common failing of Do-It-Yourself security systems where people simply jump around the "login page".

Also, the login acts as a gateway to the requested page (URL). If login succeeds, then the requested URL is processed. The only way to force redirection to an alternative page is to hack things. There is no "login event handler". In large part, because J2EE supports site logins, where the user may have logged in with a central security administration system at some earlier time (Single Signon), and the server will honor that operation instead of annoying the user with a separate login demand for each and every application (which can be especially annoying when it's a portal app).

I'm not a big fan of logins forcing me to another page myself, because I have a fondness for "bookmarking" commonly-used URLs and short-circuiting the bookmarks is a rude thing to do.
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic