request. get User Principal(). getName() do not retreive user name

Hi in my application i want to secure my jsp pages, i dont want the pages to be viewed directly by copying the url in short i want to make them password protected unless a user sign in user cannot see the further pages, in order to achieve this i added security-constraint in my web.xml

web.xml

and my tomcat-users.xml

now when i log in the appliction with username admin i am unable to see the page http://loclhost:8080/BankBoard/secure/welcomepage.

also in my UserValidation Servlet when i try to print the username
System.out.print(request.getUserPrincipal().getName()) it does not display the username rather its a blank space also the if(request.isUserInRole("admin")) does not results true.

any suggestions please..

[ Edited to fix code tags - Paul Sturrock ]
[ October 07, 2008: Message edited by: Paul Sturrock ]

What does "i am unable to see the page" mean? What response does the server return?

What does "request.getRemoteUser()" return?

when i enter the URL http://loclhost:8080/BankBoard/secure/welcomepage it says
"Internet Explorer cannot display the webpage

Most likely causes:
You are not connected to the Internet.
The website is encountering problems.
There might be a typing error in the address. "

and it shows a blank line when i print System.out.println("the user name"+request.getUserPrincipal().getName()) it is not even showing the phrase "the username"

also the if loop is not validating to be true
if(request.isUserInRole("admin"))
System.out.println("admin");

it is not printing "admin" instead a blank line is shown..

request.getRemoteUser() prints null
[ October 07, 2008: Message edited by: ruquia tabassum ]

Does the application work if you remove all the security stuff from web.xml?

I noticed that the <security-role> tag looks incomplete, or was that just a copy/paste mistake?

yeah it work fine if i remove all the security stuff
its a copy paste mistake

web.xml
[code]

<security-constraint>
<web-resource-collection>
<web-resource-name>admin</web-resource-name>
<url-pattern>/secure/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>admin</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>

</security-constraint>

<security-role>
<role-name>admin</role-name>
</security-role>

You also have a login-config tag in the web.xml, correct? And HTTPS in general is working fine?

no i did not add a <login-config> element , the way its getting authenticated is once the user enters username and password and clicks LogOn button UserValidation Servlet authenticate the user credentials refering to the entries in the database.
The application is not working with HTTPS..with http://localhost:8080/BankBoard it shows login page
with https://localhost:8080/BankBoard it says
"Internet Explorer cannot display the webpage

Most likely causes:
You are not connected to the Internet.
The website is encountering problems.
There might be a typing error in the address. "
[ October 07, 2008: Message edited by: ruquia tabassum ]

Without a login-config element the other authentication tags won't take effect.

But it sounds anyway like you need to get HTTPS working first. See http://tomcat.apache.org/tomcat-5.5-doc/ssl-howto.html for how to do that.

My Https is working now ..
on accessing the page https://localhost:8443/BankBoard/secure/welcomepage
it says

"HTTP Status 403 - Access to the requested resource has been denied

type Status report

message Access to the requested resource has been denied

description Access to the specified resource (Access to the requested resource has been denied) has been forbidden."

where as https://localhost:8443/BankBoard displays the login page

[ October 07, 2008: Message edited by: ruquia tabassum ]
[ October 07, 2008: Message edited by: ruquia tabassum ]

a bit confused wether the user credentials entered are to be checked refering database or leave it on form based authentication which cheks it referring the tomcat-users.xml file?

Originally posted by ruquia tabassum:
a bit confused wether the user credentials entered are to be checked refering database or leave it on form based authentication which cheks it referring the tomcat-users.xml file?

That depends on how you have configured it in the server.xml file. Somewhere in it is a <Realm> element that specifies which realm implementation is used.

server.xml file contains the database realm
<Realm className="org.apache.catalina.realm.UserDatabaseRealm"
resourceName="UserDatabase"/>

actually i want my login page to give an alert message when there is a wrong username and password for that on clicking logon it makes ajax calls and the responsible servlet checks the credentials referring database, based on the servlet response i am directing the control either to welcome page or raising a popup.As welcome page is secure so i dont want the direct access to that page and i employed form based authentication... now whenever i try to acces the welcome page it gives me the unformatted login page with username and password fields scattered here and there.
please give me a clear picture of form based authentications...

You can make the login page anything you want (in terms of the HTML), but if you want to use AJAX calls for checking credentials, then that's not supported by the standard security built into the container.

You can use a database instead of the XML file by switching to some other realm, maybe JDBCRealm or DataSourceRealm. The Tomcat documentation explains how to set those up.

i modified my server.xml file as
server.xml
[code]

<Realm className="org.apache.catalina.realm.JDBCRealm"
debug="99" driverName="net.sourceforge.jtds.jdbc.Driver"
connectionURL="jdbc:jtds:sqlserver://DCSRV02:1433/REGISTRATION_TEMP_LTR_PRINT;username=sa;password=water"
connectionName="sa" connectionPassword="water"
userTable="login1" userNameCol="loginname" userCredCol="password"
userRoleTable="loginuser" roleNameCol="role"
/>

and my Login.jsp which has flash contents,input fields..
Login.jsp
[code]
<BODY bgcolor="#ffffff" onlod="GetUserMachineName();">
<FORM METHOD="POST" NAME="homeform" action="j_security_check">
<div ID=firstbar > </div>
<div ID=secondbar >
<label ID=welcomelabel >
Welcome To BankBoard </label>
</div>

<label ID=enterlabel >
Enter Your Login Information and click LogOn </label>
<label ID=system >System</label>
<input ID=inputsystem type="text" name="system"><BR>

<label ID=uname >User Name</label>
<input ID=inputuname type="text" name="j_username"><BR>
<label ID=password >Password</label>
<input ID=inputpassword type="password" name="j_password">
<input type="submit" value="LogOn" ID=logon onclck="homeFieldValidation();" >

</FORM>

Now on accessing https://localhost:8443/BankBoard/ it has an achor tag that take to Login.jsp, on entering the credentials and clicking button LogOn it again shows the login page which is unformatted without flash contents input fields scattered with the link https://localhost:8443/BankBoard/secure/welcomepage in address bar.
[ October 08, 2008: Message edited by: ruquia tabassum ]