Win a copy of The Java Performance Companion this week in the Performance forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

Implementing FORM Based Security

 
Tarun Oohri
Ranch Hand
Posts: 189
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hello Everyone,
I am trying to implement FORM based security in my web application but i am unable to do so. Actually, i am not able to map my servlet from web.xml. I am using tomcat 6 , So cant use Annotations to map my servlet & if i map my servlet using <servlet> tag and <servlet-mapping> tag then the server directly execute the my servlet without going through the </security-constraint> and <login-config>. My code is as follows:

Web.xml file

DoSomethingServlet.java

authentication.html

authentication_error.html

tomcat-user.xml
 
Ulf Dittmer
Rancher
Posts: 42968
73
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
You're mapping the servlet to /*, but you're only securing /DoSomethingServlet. So any URL but that specific one would not be secured, but can be used to access the servlet.

I think what you meant to do was to map the servlet to "/DoSomethingServlet".
 
Tarun Oohri
Ranch Hand
Posts: 189
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Ulf Dittmer wrote:You're mapping the servlet to /*, but you're only securing /DoSomethingServlet. So any URL but that specific one would not be secured, but can be used to access the servlet.

I think what you meant to do was to map the servlet to "/DoSomethingServlet".


I have already tired doing that but no help .. Actually it is not able to fetch the start up file from web.xml ( ie. authentication.html). Following is the error i am getting :

HTTP Status 404 - /JavaWebSecurityPrj04/

The url showing is( http://localhost:8080/JavaWebSecurityPrj04/ ) BUT it should be like this in order to fetch the authentication.html file ( http://localhost:8080/JavaWebSecurityPrj04/authentication.html )

 
Ulf Dittmer
Rancher
Posts: 42968
73
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
So if I were to take all the files you posted, change line 10 of web.xml to "<url-pattern>/DoSomethingServlet</url-pattern>", install that as a web app called "JavaWebSecurityPrj04", and then accessed http://localhost:8080/JavaWebSecurityPrj04/DoSomethingServlet I would get a 404?

What do you mean by "startup file"? Do you mean welcome file? There is none configured in the web.xml.

Can you access the web app at all, for example a static HTML file in the root directoy? I'm now assuming that you no longer map security to "/*".
 
Tarun Oohri
Ranch Hand
Posts: 189
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Ulf Dittmer wrote:So if I were to take all the files you posted, change line 10 of web.xml to "<url-pattern>/DoSomethingServlet</url-pattern>", install that as a web app called "JavaWebSecurityPrj04", and then accessed http://localhost:8080/JavaWebSecurityPrj04/DoSomethingServlet I would get a 404?

What do you mean by "startup file"? Do you mean welcome file? There is none configured in the web.xml.

Can you access the web app at all, for example a static HTML file in the root directoy? I'm now assuming that you no longer map security to "/*".


Yes, i meant welcome file only. It is configured in the <form-login-config> tag . When i explicitly execute that url given by you above i get the welcome page (ie. authentication.html ). but i want it to come automatically when i deploy my application on the server.
 
Ulf Dittmer
Rancher
Posts: 42968
73
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
That's not a welcome file; welcome files are configured using <welcome-file-list>.

But I think you misunderstand how servlet security works - you would never link to the login page directly. The servlet container would show that to the user if he tried to access a protected resource.
 
Tarun Oohri
Ranch Hand
Posts: 189
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Ulf Dittmer wrote:That's not a welcome file; welcome files are configured using <welcome-file-list>.

But I think you misunderstand how servlet security works - you would never link to the login page directly. The servlet container would show that to the user if he tried to access a protected resource.


Do you have any good links or tutorial from where i can understand it properly ?
 
Ulf Dittmer
Rancher
Posts: 42968
73
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
The key thing to understand is that there is no login page that you would link to. You'd just put links to protected and unprotected resources alike, and then the servlet container will call the login page if the user tries to access a protected resource, and if the login is successful, will serve that resource.

Some links can be found here: http://www.coderanch.com/how-to/java/ServletsFaq#security
 
Tarun Oohri
Ranch Hand
Posts: 189
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Ulf Dittmer wrote:The key thing to understand is that there is no login page that you would link to. You'd just put links to protected and unprotected resources alike, and then the servlet container will call the login page if the user tries to access a protected resource, and if the login is successful, will serve that resource.

Some links can be found here: http://www.coderanch.com/how-to/java/ServletsFaq#security


Thanks for your valuable comments. I am very anxious to implement the security in my application. It is very exciting stuff but struggling to get through. I will read the content you provided and try to learn it rightly.
Thanks Again!!!
 
It is sorta covered in the JavaRanch Style Guide.
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic