aspose file tools*
The moose likes Web Component Certification (SCWCD/OCPJWCD) and the fly likes Secure Servlet problem Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Certification » Web Component Certification (SCWCD/OCPJWCD)
Bookmark "Secure Servlet problem" Watch "Secure Servlet problem" New topic
Author

Secure Servlet problem

Derek Zeng
Greenhorn

Joined: Aug 25, 2006
Posts: 16
In the web.xml file, I set <role-name> in <auth-constraint> to "*".
But it still comes out 403 error.
The following are the codes.
What is the problem? Please help me.

web.xml:
<web-app version="2.4" xmlns="http://java.sun.com/xml/ns/j2ee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee
http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd">

<servlet>
<servlet-name>CheckedServlet</servlet-name>
<servlet-class>webcert.ch05.ex0502.CheckedServlet</servlet-class>
<security-role-ref>
<role-name>MGR</role-name>
<role-link>manager</role-link>
</security-role-ref>
</servlet>
<servlet-mapping>
<servlet-name>CheckedServlet</servlet-name>
<url-pattern>/CheckedServlet</url-pattern>
</servlet-mapping>

<security-constraint>
<web-resource-collection>
<web-resource-name>TheCheckedServlet</web-resource-name>
<url-pattern>/CheckedServlet</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>*</role-name>
</auth-constraint>
</security-constraint>

<security-role>
<role-name>manager</role-name>
</security-role>

</web-app>


SCJP 5.0<br />Preparing SCWCD...
Manikandan Jayaraman
Ranch Hand

Joined: Sep 15, 2004
Posts: 230
403 status shows forbidden state. Auth constraint with a role-name *, will make the resource constrained for all users.

You have given less information regarding your problem. How did you access the resource, what all methods your servlet supports. Did you authenticate before you tried to access your resource?

Can you explain your flow?


Regards,<br />Mani<br />SCJP 1.4 (95%)<br />SCWCD 1.4 (94%)
Derek Zeng
Greenhorn

Joined: Aug 25, 2006
Posts: 16
I am using Windows and Tomcat.
I access the resource by the following URL: http://localhost:8080/ex0502/CheckedServlet.
The CheckedServlet.java is just some simple codes to do test.
It supports doGet() & doPost() methods.
If the web.xml changes to the following codes, it works fine.

<web-app version="2.4" xmlns="http://java.sun.com/xml/ns/j2ee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee
http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd">

<servlet>
<servlet-name>CheckedServlet</servlet-name>
<servlet-class>webcert.ch05.ex0502.CheckedServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>CheckedServlet</servlet-name>
<url-pattern>/CheckedServlet</url-pattern>
</servlet-mapping>

How can I authenticate?
Bob CHOI
Ranch Hand

Joined: Nov 10, 2006
Posts: 127
- Did the servlet intend to send 403?
- If not, restart the browser you'll get through, "*" means all user roles are allowed to gain access to those resources you mean.
- add declaratives below to web.xml, then authentication will pop up

[ January 14, 2007: Message edited by: Bob CHOI ]

Hard work rewards
Manikandan Jayaraman
Ranch Hand

Joined: Sep 15, 2004
Posts: 230
Hi,

There is a basic confusion here .... Security Constraint is NOT ABOUT ALLOWING ACCESS ... it is about CONSTRAINING ACCESS ....

When you say "*", you mean that you restrict all roles from accessing the resource. So you have to go through authentication.

If you want to allow all resources, then remove the security-constraint.
Bob CHOI
Ranch Hand

Joined: Nov 10, 2006
Posts: 127
except from servlet spec p143 $17

"The auth-constraint indicates the user roles that should be permitted access to this resource collection."
Derek Zeng
Greenhorn

Joined: Aug 25, 2006
Posts: 16
I removed the following codes, it works.
I am confused the "*".
Thanks Manikandan!

<auth-constraint>
<role-name>*</role-name>
</auth-constraint>
Bob CHOI
Ranch Hand

Joined: Nov 10, 2006
Posts: 127
if security mechanism is concerned simply with authentication(A) and authorization(A), the scenarioes below demostrate how the basics work.

assumption:

- client access to "hello.jsp" is required to be AAed
- hello.jsp is located under web app root "myapp"
- Tomcat has created a few default user-password-role mapping, we'll use the one "tomcat-tomcat-tomcat"

hello.jsp:



web.xml config-1:



call flow:

1. client requesting http://localhost/myapp/hello.jsp
2. server asking for authentication
3. client popping up authentication window
4. user typing "tomcat", "tomcat"
5. client requesting http://localhost/myapp/hello.jsp with encoded authentication info
6. server verifying and authorizing the access
7. "hello tomcat" returning to client

web.xml config-2: use "*" for permitting all roles

 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: Secure Servlet problem