Win a copy of Programmer's Guide to Java SE 8 Oracle Certified Associate (OCA) this week in the OCAJP forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

Application Security

 
Pedro Garcia
Greenhorn
Posts: 15
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi...
I have some jsp application in tomcat 4.1.18.
I'm try to restrict only for some roles.
How can I define a Security Constraint for an Application in the web.xml file.
Is necesary to put some code in /conf/server.xml too?
Could somebody post an example... :roll:
 
Mike Curwen
Ranch Hand
Posts: 3695
IntelliJ IDE Java Ubuntu
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
http://jakarta.apache.org/tomcat/tomcat-4.1-doc/realm-howto.html

There is also an existing examples app that uses security restraints at: http://localhost:8080/examples/jsp/security/protected/
 
Pedro Garcia
Greenhorn
Posts: 15
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thanks...
I check it?
It's that i looking for....
but...
Why the jsp example send me error 404 when I login, the go back and login with wrong password?.
I need to initializing the session again?
How can I fix?
 
Mike Curwen
Ranch Hand
Posts: 3695
IntelliJ IDE Java Ubuntu
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I think I know what is happening, but this is only what I deduce, not what I know.

The example web-app uses container-managed, FORM-based authentication. That is what this page is for: http://localhost:8080/examples/jsp/security/protected/login.jsp

If you note that the form elements are named j_username and j_password, and also the action is j_security_check.


The action must be j_security_check, so that the container knows "that means forward this request to my internal authorization code, which expects something called j_username and j_password". You can customize login.jsp any other way, but that action and those form field names MUST be used if you want container-managed security to work.

One of the things that the container probably does as an efficiency test, is checks first if the user making the request is ALREADY logged in. Why authenticate when they've already been authenticated?

Because you just click "back", you are not logged out, so your session continues to be valid. When the container receives your second request (one with a bad password), it sees you are already logged in, and it will "pass off" the request to the web application that is being protected. *THAT* application does not have a resource mapped to j_security_check, and so you get the 404

the solution is to logout with the link provided on index.jsp (the page you see after a successful login).
 
Pedro Garcia
Greenhorn
Posts: 15
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thanks for your help.
Your explanation helps me to understand.
But, How can I prevent to the users do not use the button "back".
Or is better to use another method to autenticate?...
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic