aspose file tools*
The moose likes Web Component Certification (SCWCD/OCPJWCD) and the fly likes Basic form-based authentication question... Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Soft Skills this week in the Jobs Discussion forum!
JavaRanch » Java Forums » Certification » Web Component Certification (SCWCD/OCPJWCD)
Bookmark "Basic form-based authentication question..." Watch "Basic form-based authentication question..." New topic
Author

Basic form-based authentication question...

Carmen Brianick
Ranch Hand

Joined: Feb 23, 2006
Posts: 67
Hi, I'm a newbie to authentication. I've heard of form-based authentication, what is the difference between this and the "old way"? From my knowledge, for the "old way", if you had 10 pages with confidential information, you would've had to put authentication like "if (userLoggedin)" conditions for all 10 pages. Now with form-based authentication, we could configure something for a particalur section of your webapp (i.e a folder called protected) inside the web.xml, so we would no longer need the conditions.

Can someone please elaborate on this or clear it up a little more?

Thanks so much,
Carmen
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 42906
    
  69
I'm not quite sure about the old-style scheme you mention (HTTP authentication as used by servlets has been the same for quite a while), but the Tomcat FAQ has a section on web app authentication. It is largely independent of Tomcat, and has links to a number of other helpful resources and articles.
Carmen Brianick
Ranch Hand

Joined: Feb 23, 2006
Posts: 67
Thank you so much Ulf! I will check out the site you recommended!

Thanks,
C
Carmen Brianick
Ranch Hand

Joined: Feb 23, 2006
Posts: 67
Hi, I'm looking at a form-based authentication example (downloaded from http://www.onjava.com/lpt/a/1024 near bottom of page). I check my Tomcat logs and I see that I have logged in successfully but after I log in, I get message "HTTP Status 403 - Access to the requested resource has been denied". I'm using a SQL Server 2000 ODBC datasource.

I downloaded the above webapp and made the following changes:

1. In Sql Server 2000: I have a "users" table with username and pswd columns

2. Added realm to Tomcat's \conf\server.xml:<
<Realm className="org.apache.catalina.realm.JDBCRealm" debug="99"
driverName="sun.jdbc.odbc.JdbcOdbcDriver"
connectionURL="jdbc dbc:testMarvel"
connectionName="marveluser" connectionPassword="marveluser"
userTable="users" userNameCol="username" userCredCol="pswd"
userRoleTable="user_roles" roleNameCol="rolename" />

3. Added "manager" from my "user_roles" table to a role in my web.xml:

<security-constraint>
<web-resource-collection>
<web-resource-name>SecurePages</web-resource-name>
<description>Security constraint for resources in the secure directory</description>
<url-pattern>/secure/*</url-pattern>
<http-method>POST</http-method>
<http-method>GET</http-method>
</web-resource-collection>

<auth-constraint><description>only let the system user login </description>
<role-name>manager</role-name>
</auth-constraint>
<user-data-constraint>
<description>SSL not required</description>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>

<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/LoginForm.html</form-login-page>
<form-error-page>/LoginError.html</form-error-page>
</form-login-config>
</login-config>

<security-role>
<description>The Secure ROLE</description>
<role-name>manager</role-name>
</security-role>

4. When I try to login using "ghostrider" and "password" (values from my 'username' and 'pswd' columns in my users table). I check the Tomcat logs, I get: "Username ghostrider successfully authenticated" but I get message "HTTP Status 403 - Access to the requested resource has been denied".


Can anyone give me an idea what is wrong? If I take out my realm configuration from servers.xml and use the default Tomcat login ("admin" with no password), I get in perfect.

Thanks so much,
Carmen
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: Basic form-based authentication question...