Hi, I'm a newbie to authentication. I've heard of form-based authentication, what is the difference between this and the "old way"? From my knowledge, for the "old way", if you had 10 pages with confidential information, you would've had to put authentication like "if (userLoggedin)" conditions for all 10 pages. Now with form-based authentication, we could configure something for a particalur section of your webapp (i.e a folder called protected) inside the web.xml, so we would no longer need the conditions.
Can someone please elaborate on this or clear it up a little more?
I'm not quite sure about the old-style scheme you mention (HTTP authentication as used by servlets has been the same for quite a while), but the Tomcat FAQ has a section on web app authentication. It is largely independent of Tomcat, and has links to a number of other helpful resources and articles.
Thank you so much Ulf! I will check out the site you recommended!
Joined: Feb 23, 2006
Hi, I'm looking at a form-based authentication example (downloaded from http://www.onjava.com/lpt/a/1024 near bottom of page). I check my Tomcat logs and I see that I have logged in successfully but after I log in, I get message "HTTP Status 403 - Access to the requested resource has been denied". I'm using a SQL Server 2000 ODBC datasource.
I downloaded the above webapp and made the following changes:
1. In Sql Server 2000: I have a "users" table with username and pswd columns
3. Added "manager" from my "user_roles" table to a role in my web.xml:
<security-constraint> <web-resource-collection> <web-resource-name>SecurePages</web-resource-name> <description>Security constraint for resources in the secure directory</description> <url-pattern>/secure/*</url-pattern> <http-method>POST</http-method> <http-method>GET</http-method> </web-resource-collection>
<auth-constraint><description>only let the system user login </description> <role-name>manager</role-name> </auth-constraint> <user-data-constraint> <description>SSL not required</description> <transport-guarantee>NONE</transport-guarantee> </user-data-constraint> </security-constraint>
4. When I try to login using "ghostrider" and "password" (values from my 'username' and 'pswd' columns in my users table). I check the Tomcat logs, I get: "Username ghostrider successfully authenticated" but I get message "HTTP Status 403 - Access to the requested resource has been denied".
Can anyone give me an idea what is wrong? If I take out my realm configuration from servers.xml and use the default Tomcat login ("admin" with no password), I get in perfect.