wood burning stoves 2.0*
The moose likes Web Component Certification (SCWCD/OCPJWCD) and the fly likes Servlet User Roles Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Certification » Web Component Certification (SCWCD/OCPJWCD)
Bookmark "Servlet User Roles" Watch "Servlet User Roles" New topic
Author

Servlet User Roles

Tom W
Greenhorn

Joined: Dec 18, 2001
Posts: 1
Hi,
I am trying to get a simple servlet up and running on Tomcat 3.3 using user roles/permissions as practice revision for the SCWCD.
Does anyone know of any simple examples on the web - or an easy step by step guide of each element of the servlet deployment descriptor?
Any help would be greatly appreciated
Tom
Chintan Rajyaguru
Ranch Hand

Joined: Aug 19, 2001
Posts: 341
Hi Tom,
You have the exact same issue as I do. I am working on error handling and security and looking for some resources on the web. I have not found any resources yet. However Java Servlet Programming (oreilly) by Jason Hunter and William Crawford explains security very nicely. I don't think the security chapter is available on the internet for free. I would go to bookstore such as Barnes and Nobles and read one chapter there (just an idea).
I would love to see more responses here. Please let me know if you find something.
Chintan


ChintanRajyaguru.com
SOADevelopment.com - Coming soon!
Ashik Uzzaman
Ranch Hand

Joined: Jul 05, 2001
Posts: 2370

I m now using this simple form-based authentication and would like to join u two-guy's search. But temporarily u can use the following :
The HTML page (loginScreen2.html) used to invoke the login servlet...

And source code for LoginServlet.java

Waiting for the reply how to configure web.xml or tomcat 4 a user role creation...

------------------
Muhammad Ashikuzzaman (Fahim)
Sun Certified Programmer for the Java� 2 Platform
--When you learn something, learn it by heart!


Ashik Uzzaman
Senior Member of Technical Staff, Salesforce.com, San Francisco, CA, USA.
Carl Trusiak
Sheriff

Joined: Jun 13, 2000
Posts: 3340
Well, you can use the manager application that comes with Tomcat 4 as a breif example. Most of the work is done for you by the servlet engine. The two things you need to do to protect your application are:
1) Include a security constraint in your web.xml. The one with manager application is:
< !-- Define a Security Constraint on this Application -->
< security-constraint>
< web-resource-collection>
< web-resource-name>Entire Application< /web-resource-name>
< url-pattern>/*< /url-pattern>
< /web-resource-collection>
< auth-constraint>
< !-- NOTE: This role is not present in the default users file -->
< role-name>manager</role-name>
< /auth-constraint>
< /security-constraint>
This tells the servlet engine that everything under manager requires a Http Basic Authentication prior to viewing. It also states that the person logging in must belong to the manger role.
As for establishing users and roles, there are a couple of ways. The easiest is to modify the tomcat-users.xml under < TOMCAT_HOME>/conf directory and include an entry for your user. As you see by the web.xml entry above, the comment tells you that a manager hasn't been defined and you will see this in tomcat-users.xml. Add an entry such as:
< user name="admin" password="admin" roles="manager" />
And when you go to the manager application, you are greated with the login popup. Logging in with admin, admin will allow you to access the manager application.
Also if you examine the tomcat-users.xml, you'll see that a user can belong to multiple roles.


------------------
I Hope This Helps
Carl Trusiak, SCJP2, SCWCD


I Hope This Helps
Carl Trusiak, SCJP2, SCWCD
Ashik Uzzaman
Ranch Hand

Joined: Jul 05, 2001
Posts: 2370

Hi Tom & Carl,
There are two approaches for securing your web applications. They are ---- programmatic security & declarative security. The former is implemented by the developer through programming/coding for the particular application. The later approach is offered by the J2EE which is implemented by the web container. There can be four types of declarative security mechanism. They are ----
(a) HTTP basic authentication, (b) HTTP digest authentication, (c) HTTP client or client-cert authentication(through SSL/HTTPS) and (d) Form-based authentication.

I gave you earlier an example code of programmatic security. And now here is the form-based authentication (option d) by Tomcat 4. I m giving my web.xml file that is needed to configure with tomcat-users.xml file. When a user comes first time in my site he will be automatically challenged by a request/response page for username & password. Once he gives username "ashik" & password "java" he'll never be asked the challenged again in this session.

tomcat-users.xml
================
<!--
NOTE: By default, no user is included in the "manager" role required
to operate the "/manager" web application. If you wish to use this app,
you must define such a user - the username and password are arbitrary.
-->
<tomcat-users>
<user name="tomcat" password="tomcat" roles="tomcat" />
<user name="role1" password="tomcat" roles="role1" />
<user name="both" password="tomcat" roles="tomcat,role1" />
<user name="ashik" password="java" roles="admin" />
</tomcat-users>
=================================================================
web.xml
=======
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE web-app
PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN"
"http://java.sun.com/dtd/web-app_2_3.dtd">
<web-app>
<servlet>
<servlet-name>
ShowMsg
</servlet-name>
<servlet-class>
ShowMessage
</servlet-class>
<init-param>
<param-name>
message
</param-name>
<param-value>
Sun Certified Web component developer (SCWCD)
</param-value>
</init-param>
<init-param>
<param-name>
repeats
</param-name>
<param-value>
10
</param-value>
</init-param>
</servlet>

<security-constraint>
<web-resource-collection>
<web-resource-name>Entire Application</web-resource-name>
<description>Testing Form-based Authentication in Tomcat 4</description>
<url-pattern>/*</url-pattern>
<http-method>GET</http-method>
</web-resource-collection>
<auth-constraint>
<description>Cookie Servlet Administrator</description>
<role-name>admin</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/ashik4u/login.html</form-login-page>
<form-error-page>/ashik4u/error.html</form-error-page>
</form-login-config>
</login-config>
<security-role>
<description>Registered Members</description>
<role-name>admin</role-name>
</security-role>
</web-app>

And the login.html that resides under my ashik4u context is like this -----

<html>
<head>
<title>Container's Login Authentication</title>
</head>
<body bgcolor=#e0d0c0 text=blue>
<h1>Please Login</h1>
<hr>
<form action="j_security_check" method=post>
<table bgcolor=#e3d2c1 border=0 width="30%" callspacing=3 cellpadding=2>
<tr>
<td><b>Login</b></td>
<td><input type=text size=20 name="j_username"></td>
</tr>
<tr>
<td><b>Password</b></td>
<td><input type=password size=10 name="j_password"></td>
</tr>
<tr>
<td><p><input type=submit value="Sign in"></td>
</tr>
</table>
</form>
</body>
</html>

And yah, u already must have known the meaning for j_security_check, j_username & j_password....
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: Servlet User Roles
 
Similar Threads
Strange bug in Tomcat 4.0.1 (request.getSession())
action not found
Setting Security in Jakarta Tomcat 4.1.18
java custom login, strategy
Weblogic Security