This week's giveaway is in the Android forum.
We're giving away four copies of Android Security Essentials Live Lessons and have Godfrey Nolan on-line!
See this thread for details.
The moose likes Web Component Certification (SCWCD/OCPJWCD) and the fly likes Basic form-based authentication question... Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login

Win a copy of Android Security Essentials Live Lessons this week in the Android forum!
JavaRanch » Java Forums » Certification » Web Component Certification (SCWCD/OCPJWCD)
Bookmark "Basic form-based authentication question..." Watch "Basic form-based authentication question..." New topic

Basic form-based authentication question...

Carmen Brianick
Ranch Hand

Joined: Feb 23, 2006
Posts: 67
Hi, I'm a newbie to authentication. I've heard of form-based authentication, what is the difference between this and the "old way"? From my knowledge, for the "old way", if you had 10 pages with confidential information, you would've had to put authentication like "if (userLoggedin)" conditions for all 10 pages. Now with form-based authentication, we could configure something for a particalur section of your webapp (i.e a folder called protected) inside the web.xml, so we would no longer need the conditions.

Can someone please elaborate on this or clear it up a little more?

Thanks so much,
Ulf Dittmer

Joined: Mar 22, 2005
Posts: 41123
I'm not quite sure about the old-style scheme you mention (HTTP authentication as used by servlets has been the same for quite a while), but the Tomcat FAQ has a section on web app authentication. It is largely independent of Tomcat, and has links to a number of other helpful resources and articles.

Ping & DNS - my free Android networking tools app
Carmen Brianick
Ranch Hand

Joined: Feb 23, 2006
Posts: 67
Thank you so much Ulf! I will check out the site you recommended!

Carmen Brianick
Ranch Hand

Joined: Feb 23, 2006
Posts: 67
Hi, I'm looking at a form-based authentication example (downloaded from near bottom of page). I check my Tomcat logs and I see that I have logged in successfully but after I log in, I get message "HTTP Status 403 - Access to the requested resource has been denied". I'm using a SQL Server 2000 ODBC datasource.

I downloaded the above webapp and made the following changes:

1. In Sql Server 2000: I have a "users" table with username and pswd columns

2. Added realm to Tomcat's \conf\server.xml:<
<Realm className="org.apache.catalina.realm.JDBCRealm" debug="99"
connectionURL="jdbc dbc:testMarvel"
connectionName="marveluser" connectionPassword="marveluser"
userTable="users" userNameCol="username" userCredCol="pswd"
userRoleTable="user_roles" roleNameCol="rolename" />

3. Added "manager" from my "user_roles" table to a role in my web.xml:

<description>Security constraint for resources in the secure directory</description>

<auth-constraint><description>only let the system user login </description>
<description>SSL not required</description>


<description>The Secure ROLE</description>

4. When I try to login using "ghostrider" and "password" (values from my 'username' and 'pswd' columns in my users table). I check the Tomcat logs, I get: "Username ghostrider successfully authenticated" but I get message "HTTP Status 403 - Access to the requested resource has been denied".

Can anyone give me an idea what is wrong? If I take out my realm configuration from servers.xml and use the default Tomcat login ("admin" with no password), I get in perfect.

Thanks so much,
subject: Basic form-based authentication question...
Similar Threads
redirection on login
can I have two login page using form-based authentication?
using Jmeter
Declarative Security, Authorization and SSL
j_security_check 'next' page?