Security constraints and URL mapping

I am trying to add a JDBCRealm security constraint on a project. The authentication works but when it goes through I get

HTTP Status 404 - /productMaint5/productMaint
type Status report
message /productMaint5/productMaint
description The requested resource is not available.

productMaint is the url mapping for my servlet.
The project works correctly when there is no security constraint, but for some reason adding the constraint makes the servlet inaccessable.

Any help would be appreciated.

Here are some details. Before adding the JDBCRealm constraints my web.xml looks like this:
<servlet> <servlet-name>ProductAdminController</servlet-name> <servlet-class>music.admin.ProductAdminController</servlet-class> </servlet> <servlet-mapping> <servlet-name>ProductAdminController</servlet-name> <url-pattern>/productMaint</url-pattern> </servlet-mapping> <session-config> <session-timeout>30</session-timeout> </session-config> <welcome-file-list> <welcome-file>index.jsp</welcome-file> </welcome-file-list>

And it works perfectly fine.
Then I create a folder for all the secured resources (html and jsp pages) and place them in that folder. Then I modify the web.xml file to this:
<servlet> <servlet-name>ProductAdminController</servlet-name> <servlet-class>music.admin.ProductAdminController</servlet-class> </servlet> <servlet-mapping> <servlet-name>ProductAdminController</servlet-name> <url-pattern>/productMaint</url-pattern> </servlet-mapping> <session-config> <session-timeout>30</session-timeout> </session-config> <welcome-file-list> <welcome-file>index.jsp</welcome-file> </welcome-file-list> <!-- Define two security roles --> <security-role> <description>customer service employees</description> <role-name>service</role-name> </security-role> <security-role> <description>system administrators</description> <role-name>programmer</role-name> </security-role> <!-- Restrict access to all files in the /admin folder --> <security-constraint> <web-resource-collection> <web-resource-name>Protected Area</web-resource-name> <url-pattern>/admin/*</url-pattern> </web-resource-collection> <!-- Authorize the programmer and service roles --> <auth-constraint> <role-name>programmer</role-name> <role-name>service</role-name> </auth-constraint> <!-- Require a secure connection --> <user-data-constraint> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint> </security-constraint> <!-- Use form-based authentication --> <login-config> <auth-method>FORM</auth-method> <form-login-config> <form-login-page>/admin/login.html</form-login-page> <form-error-page>/admin/login_error.html</form-error-page> </form-login-config> </login-config>

This all works, I get to the login forms. But once through the authentication it cannot find the productMaint servlet.

The first question that comes to mind; did you add your user id to those security roles?

I know this is like the "is your computer plugged in?" question, but sometimes it's the simple things that burn us.

Welcome to the JavaRanch, Matthew!

How are you logging in? If you are doing so via the URL /productMaint5/admin/login.html, that doesn't work. The J2EE security mechanism does not support direct access to the login page. You should be requesting a protected URL, which will automatically trigger the login process.

I don't see a protection (security-constraint) for /productMaint, so any attempt by a user should be allowed, including attempts by users who have not logged in.

Thanks for the responses. I'm not sure what you mean when you ask if I added my User ID to the login roles. I am using a MySQL server where I have one database for the product information and a separate database that contains the security roles, user names and passwords for the JDBCRealm. I don't have any problem accessing the databases. The project works with the authentication, with the proper user name and password, it goes through. If you enter an incorrect name or pw, it goes to a login_error.html. The problem occurs when it goes through to the actual pages which use my servlet. Is there some way to post a screenshot of my netbeans project so you can see how the structure looks?

The model that J2EE Container-Managed security uses for authentication and authorization equates to 2 database tables. One table maps a (hopefully unique) userid to a password. The other maps userid (as a foreign key) to zero or more security roles. So JKR is asking if you made sure that you actually had added a userid/password into the user table so that there was someone to log in as.

I didn't ask that, because you should never get past login if there isn't - you'd either get sent to the loginfail page or get a 503 (Forbidden) response.

However, I must repeat this very important consideration: You cannot simply login by entering the URL of the login page on your client. The login page is designed to be presented by the container (Tomcat, Glassfish, WebSphere, or whatever server you're using) and processed by the server (no user-written login code). If someone pulls up the login page directly via URL request, the context that's needed to actually process the login will not have been activated.

The only way to get a proper login page (or dialog, depending on whether you're doing form-based authentication or not) is to request a protected URL, as defined by your web.xml security-constaint definitions. In that case login is automatically activated with the proper context.

Since you don't have the URL path for the /productMaint URL mapped to a security-constraint, that particular URL would not trigger a login, and user access would be available to everyone, whether they were logged in or not.

Ok, but I don't think I'm trying to login by directly accessing the login page. I have an index.html page that is outside the secured portion of the project and that is the welcome page. That page has a link to get to the secured area and it is :

<a href="admin">View Products</a>

admin is the folder containing the secured resources.

You don't "href" to a folder unless you intend to have the Default Servlet generate an index listing. And you usually don't do that because you have no control over the look-and-feel of the default folder index display.

Also, linking to "admin" won't match the "/admin/*" security URL pattern, since "/admin" isn't the same thing as "/admin/*".

I think what you're probably needing is to have the welcome page link to a specific page/servlet in the /admin folder, not simply to the folder.

Plus, that doesn't secure /productMaint. For that you need a separate URL pattern and role map.