This week's book giveaway is in the Servlets forum.
We're giving away four copies of Murach's Java Servlets and JSP and have Joel Murach on-line!
See this thread for details.
The moose likes Servlets and the fly likes Security Constraint Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Murach's Java Servlets and JSP this week in the Servlets forum!
JavaRanch » Java Forums » Java » Servlets
Bookmark "Security Constraint" Watch "Security Constraint" New topic
Author

Security Constraint

JiaPei Jen
Ranch Hand

Joined: Nov 19, 2000
Posts: 1309
I do not fully understand how security constraint works. For example, I have the <security-constraint> and <security-role> tags as follows:

My database contains the information of all registered members:

Advisors will be directed to Page A, editors will be directed to Page E and contributors will be directed to Page C depending on the returning value of the method isUserInRole(). But, I do not know how to use isUserInRole().
For example, after John fills out the username and password in the logon form, I search the database to see if there is John in the database and I verify the "read in" password. The information regarding the "role" of John can only be found in the database. The method isUserInRole takes contributor/editor/advisor/administrator as its parameter. I am missing the link between John and his role as a contributor and isUserInRole().
I use the Tomcat.
[ October 03, 2003: Message edited by: JiaPei Jen ]
David O'Meara
Rancher

Joined: Mar 06, 2001
Posts: 13459

You are trying to manage authentication manually, but you need to configure Tomcat so that it manages it for you. I haven't dne it in Tomcat for quite a while, but you need to have a look at the Tomcat JDBCRealm in the REALM HOW-TO to hook in authentication details when they are kept in the database.
Dave
Sainudheen Mydeen
Ranch Hand

Joined: Aug 18, 2003
Posts: 218
Hi JiaPei Jen
As David mentioned you are trying manually. I think you have to work with the tomcat-users.xml file which is located in <tomcat-root>\conf directory. This file already have some username,password and role information in it.

You can add new users and use those methods.
-------------
Sainudheen
David O'Meara
Rancher

Joined: Mar 06, 2001
Posts: 13459

No, you only use the tomcat-users.xml file if you are using the "MemoryRealm" Realm for Tomcat. See the link I posted above. The JDBCRealm uses tabase tables and not files. I don't think you can mix the two.
Dave
JiaPei Jen
Ranch Hand

Joined: Nov 19, 2000
Posts: 1309
I followed the instructions on using the JDBCRealm. However, I could not start the Tomcat server after I inserted

within the <Engine> tag in the $CATALINA_HOME/conf/server.xml file.
I first inserted the aforementioned Realm within the <context> tag in the $CATALINA_HOME/conf/server.xml and I was unable to start the Tomcat server. I then moved the Realm inside the <Engine> tag, but it did not help.
By the way, do you think the user and password given in the JDBCRealm are correct? I configured database username and password for use by Tomcat in the $CATALINA_HOME/conf/server.xml this way:

And I have used this database many times without problem.
[ October 07, 2003: Message edited by: JiaPei Jen ]
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: Security Constraint
 
Similar Threads
JDBCRealm and the security-constraint Element in the web.xml File
Users Authentication
What Is The Proper Design - Security
HTTP Status 404 After Adding security-constraint To web.xml
form based login example