aspose file tools*
The moose likes Web Component Certification (SCWCD/OCPJWCD) and the fly likes Problem understanding Security-Constraint Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Spring in Action this week in the Spring forum!
JavaRanch » Java Forums » Certification » Web Component Certification (SCWCD/OCPJWCD)
Bookmark "Problem understanding Security-Constraint " Watch "Problem understanding Security-Constraint " New topic
Author

Problem understanding Security-Constraint

Sushma Sharma
Ranch Hand

Joined: Jun 02, 2005
Posts: 139
Hi All,
I am trying to constrain access to a file jstlChoose.do, which is a jsp and I have mapped it to jstlChoose.do in web.xml.
As per HFSJ <security-constraint> element in web.xml does this job. I did the following in my web.xml
--------------------------------------------------------------------------
<security-constraint>
<web-resource-allocation>
<web-resource-name>JSTL Choose</web-resource-name>
<url-patterns>/jstlChoose.do</url-patterns>
<http-method>GET</http-method>
</web-resource-allocation>
<auth-constraint>
<role-name>admin</role-name>
<role-name>manager</role-name>
</auth-constraint>
</security-constraint>

<login-config>
<auth-method>BASIC</auth-method>
</login-config>

<security-role>
<role-name>admin</role-name>
<role-name>manager</role-name>
<role-name>guest</role-name>
</security-role>

-------------------------------------------------------------

Now, if I understand correctly only admin and manager are allowed to call GET method on this jstlChoose.do. but when I try to access this file using

http://localhost:8080/TestJSP/jstlChoose.do

I am still able to see the result.
Am I doing something wrong? Do I have to set some variable to a user role first and then try accessing this file? I am really confused...
Any help is welcome,

Regards,

Sushma
Narendra Dhande
Ranch Hand

Joined: Dec 04, 2004
Posts: 950
Hi,

Your web.xml entries.

<security-constraint>
<web-resource-allocation>
<web-resource-name>JSTL Choose</web-resource-name>
<url-patterns>/jstlChoose.do</url-patterns>
<http-method>GET</http-method>
</web-resource-allocation>
<auth-constraint>
<role-name>admin</role-name>
<role-name>manager</role-name>
</auth-constraint>
</security-constraint>

<login-config>
<auth-method>BASIC</auth-method>
</login-config>

<security-role>
<role-name>admin</role-name>
<role-name>manager</role-name>
<role-name>guest</role-name>
</security-role>


Please make correction in above as follows . It should run

<security-constraint>
<web-resource-collection> // It should be collection not allocation
<web-resource-name>JSTL Choose</web-resource-name>
<url-patterns>/jstlChoose.do</url-patterns>
<http-method>GET</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>admin</role-name>
<role-name>manager</role-name>
</auth-constraint>
</security-constraint>

<login-config>
<auth-method>BASIC</auth-method>
</login-config>

// Make seperate entries, otherwise it is not valid.
<security-role>
<role-name>admin</role-name>
</security-role>
<security-role>
<role-name>manager</role-name>
</security-role>
<security-role>
<role-name>guest</role-name>
</security-role>


Thanks


Narendra Dhande
SCJP 1.4,SCWCD 1.4, SCBCD 5.0, SCDJWS 5.0, SCEA 5.0
Sushma Sharma
Ranch Hand

Joined: Jun 02, 2005
Posts: 139
Hi Narendra,

Thank you for pointing out my blunders. I made the changes and tried to run the code, but even now the results are same.
I am still able to get the results of jstlChoose.do just by typing the url in my browser. It doesn't ask me for any user name or password...
What is going wrong?

Regards,
Sushma
Narendra Dhande
Ranch Hand

Joined: Dec 04, 2004
Posts: 950
Hi,

I had tested this stuff on the tomcat ( 5.0.28) . To work the auth mechanism, I am running the tomcat with security option on ( I really don't know why it is required). Also I have definded the roles and users in the tomcat-users.xml file. I heard that the Relam used in the latest version is set to other than memory relam (Some JNDI Name) , so check user tomat server.xml file for the setup. You may required to change the default relam type. Other wise there is no error in the web.xml It should work.

Thanks
Sushma Sharma
Ranch Hand

Joined: Jun 02, 2005
Posts: 139
Hi,

Could you please tell me how to do "security option" on... I am really not aware of it. I have added admin and manager roles in tomcat-users.xml, but it was still behaving the same.
I did check server.xml and it has the old memory realm commented out and a global JNDI realm is there now. I don't know what a "Realm" is and what difference does it make to our application. could you explain a little?

Thanks in advance,

Regards,
Sushma
Narendra Dhande
Ranch Hand

Joined: Dec 04, 2004
Posts: 950
Hi,

I can not explain the realm with technical terms, but realm is a context in which your passward mechnism is bounded. There are different realm definded in the server.xml which use JNDI names, or JDBC. Thses realm use database to store the username, passwards and roles. To use this you have to go through the server documentattion. The default realm is memmory realm, which strore all this information in memory and read the information from tomcat-users.xml file. To run the tomcat with security option, while starting the tomcat add -security command line option after the executable file. See the online documentation provided with the tomcat. The default tomcat /admin or /application application managers uses the security. you can look into the web.xml for these applications. But I really confused why the security option is required to run auth mechanism.

Thanks
Narendra Dhande
Ranch Hand

Joined: Dec 04, 2004
Posts: 950
Hi,

There is really a a problem using security mechanism. I was trying to test the above using tomcat 5.5.7 on XP machine with service pack 2. It work one time correctlty with security option on and then there is no authentication screen. Next few minutes the tomcat server was carshed. There is really something wrong with tomcat on XP. From last one month I had reinstalled tomact atleast 3 times. So I installed tomcat 5.5.7 on another machine having win 2000. The above web.xml is working fine. It display proper Basic auth screen. I think there is really problem with the firewall which comes with XP 2. It is unnecessarily blocking some modules and popups.

I had made no change in the server.xml and running tomcat in normal mode on win 2000 and working fine. Only the change in above web.xml is thet i used the standard user names and roles which are already present in tomcat-users.xml file.

Can sombody explain what is the actual problem with tomcat and XP. Is any changes required in the Firewall setting.

Thanks
Sushma Sharma
Ranch Hand

Joined: Jun 02, 2005
Posts: 139
Hi,
I am using tomcat5.0.28 on a Windows Server 2003 and even after using -security option, I didn't get any authentication screen and now I don't know what to do? I haven't tried it with the standandard user name and roles, but I shell try that now.

Regards,

Sushma
Narendra Dhande
Ranch Hand

Joined: Dec 04, 2004
Posts: 950
Hi,

This is the web.xml i tested.

<?xml version="1.0" encoding="UTF-8"?>

<web-app xmlns="http://java.sun.com/xml/ns/j2ee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd"
version="2.4">
<login-config>
<auth-method>BASIC</auth-method>
</login-config>
<security-constraint>
<web-resource-collection>
<web-resource-name>Protected </web-resource-name>
<url-pattern>*.jsp</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>tomcat</role-name>
</auth-constraint>
</security-constraint>
<security-role>
<role-name>tomcat</role-name>
</security-role>
<session-config>
<session-timeout>
30
</session-timeout>
</session-config>
<welcome-file-list>
<welcome-file>
index.jsp
</welcome-file>
</welcome-file-list>
</web-app>

for any jsp it show me the BASIC auth screen.

Thanks
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: Problem understanding Security-Constraint