wood burning stoves 2.0*
The moose likes Servlets and the fly likes Unable to get authentication and authorization working. Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of EJB 3 in Action this week in the EJB and other Java EE Technologies forum!
JavaRanch » Java Forums » Java » Servlets
Bookmark "Unable to get authentication and authorization working." Watch "Unable to get authentication and authorization working." New topic
Author

Unable to get authentication and authorization working.

Deepak Jain
Ranch Hand

Joined: Aug 05, 2006
Posts: 637
Hello ranchers,
I was trying the security stuff mentioned in chapter 12 of Head first servlets and JSP. I was trying to desing a login screen with form based authentication. (basic authentication was not working).

web.xml



My webapp is deployed as "testtool", Now i want to constraint all the resources that are persent in the testool and hence you will see the url-pattern defined in the security constraint element.

1) What is wrong? When i access the URL http://localhost:8080/testtool/ , i get the below error

HTTP Status 404 - /testtool/
type Status report
message /testool/
description The requested resource (/testool/) is not available.


If i access one of the internal pages present in the JSP, It shows up without asking for authentication. I was expecting because of the security constraint elements defined, any request to the resources would be intercepted with the form based authentication. Can anyone figure out why is this not working?


SCJP, SCWCD, SCBCD
udaykumar maddigatla
Ranch Hand

Joined: Feb 03, 2009
Posts: 69
Hi
Here it seems every thing is OK.

Did you define the role in your server.

If you are using the tomcat, you should define the role in tomcat-users.xml file.

If you done the above step try to check once agin and just remove the <user-data-constraint> entry in web.xml(it's just a testing).


Did you define the lign and error pages in your application?


SCJP 5.0(84%), SCWCD 5.0(97%), SCDJWS 5.0(98%)
Deepak Jain
Ranch Hand

Joined: Aug 05, 2006
Posts: 637
I changed the login-config as below



So that atleast the browser asks for credentials, but no. It does not work.
Yes i had defined the role in the tomcat-users.xml.


One more question.
Is this a good idea to build authentication and authorization ? If not should i be using JAAS? If yes can you point me to some simple sample code to achieve it.
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 39547
    
  27
When i access the URL http://localhost:8080/testtool/ , i get the below error

HTTP Status 404 - /testtool/
type Status report
message /testool/
description The requested resource (/testool/) is not available.

There's a disconnect somewhere here. The URL you mention contains testtool, yet the error message mentions testool.

Is this a good idea to build authentication and authorization ? If not should i be using JAAS? If yes can you point me to some simple sample code to achieve it.

JAAS is not part of the SCWCD, so you don't need to worry about it. And no, there are no simple examples using JAAS - it is by its nature not simple. But it's also something that for pure web apps you generally don't need. And yes, people often find the built-in authentication/authorization stuff insufficient and build their own; it's not that hard.


Ping & DNS - updated with new look and Ping home screen widget
Deepak Jain
Ranch Hand

Joined: Aug 05, 2006
Posts: 637
I got the authentication and authorization working using Dabase realm and tomcat web container.
Now am facing a new issue
In case i include

Upon requesting a constraint resource like http://localhost:8080/testtool , as expected the web container redirects to https://localhost:8443/testtool and the web page shows the following error

This webpage is not available.
The webpage at https://localhost:8443/testtool might be temporarily down or it may have moved permanently to a new web address.


As you see its must for me to include user data constraint for obvious security reasons. Can anyone let me know whats going on.
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 39547
    
  27
https://localhost:8443/testtool/

Can you access that page directly, meaning, is SSL set up correctly on the server? If not, see http://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html for the steps to follow.
Deepak Jain
Ranch Hand

Joined: Aug 05, 2006
Posts: 637
Yes i tried accessing https://localhost:8443/testtool/ directly through a browser, and it says This webpage is not available.
I hope the document that you have shared has all the details to fix this.

I had few queries
a) Where does the credentials get stored on the client side? I am suspecting as a cookie?
b) If the credentials are saved as a cookie then are they plain text ?
c) If i use user-data-constraint tag then will the credentials get saved in encrypted way ?

Thanks for your time. I really appreciate.
Deepak Jain
Ranch Hand

Joined: Aug 05, 2006
Posts: 637
Any suggestions how to get user-data-constraint working?
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 39547
    
  27
How have you set up SSL? Did you follow all the steps listed on that page?
Deepak Jain
Ranch Hand

Joined: Aug 05, 2006
Posts: 637
I completely forgot that you had replied to my question. Am sorry for that.
I will read that document and try it out.
Thanks for replying again.
Deepak Jain
Ranch Hand

Joined: Aug 05, 2006
Posts: 637
Thanks a lot, got it working.
After getting everything to work on my dev box, I got stuck into another problem at the so called production box(linux).

I do not have write permissions to the following directories under tomcat installation directory

bin common conf doc LICENSE logs RELEASE-NOTES RUNNING.txt server shared temp webapps work


I have access to the following folders
conf hiberbate.log logs temp webapps work

I am using database realm and hence i have modified the server.xml as follows

<Realm className="org.apache.catalina.realm.JDBCRealm" debug="99" driverName="com.mysql.jdbc.Driver" connectionURL="jdbc:mysql://localhost/rsvp?user=root&password=root" connectionName="root" connectionPassword="root" userTable="users" userNameCol="user_name" userCredCol="user_pass" userRoleTable="user_roles" roleNameCol="role_name" />

At tomcat startup , I get the following exception with org.gjt.mm.mysql.Driver, com.mysql.jdbc.Drive and java.sql.Driver (Changed the drivers each time)

This is because somehow the tomcat at startup is not able to find the driver class ( I have not placed the correponding jar files under the server/lib or common/lib becuase i do not have write permission).
I have a script file that starts the tomcat , and hence i modified the file to include the jar file before starting tomcat as follows



The path "/data/temp/appserver/tomcat-based/server/webapps/mytool/WEB-INF/lib/mysql-connector-java-5.0.6.jar" is correct and does point to the jar file.

Is there a way to get it working without touching "bin common conf doc LICENSE logs RELEASE-NOTES RUNNING.txt server shared temp webapps work" under jakarta-tomcat5 as i do not have write permissions.
Help is appreciated.
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 39547
    
  27
(Moving this to the servlet forum, as it has nothing to do with the exam any more.)

I'd have the server admin put the jar file into TOMCAT_HOME/server/lib. That's much better than to alter the startup script.
Deepak Jain
Ranch Hand

Joined: Aug 05, 2006
Posts: 637
Yes it does not have to do anything with exam anymore.
Thanks.
Deepak Jain
Ranch Hand

Joined: Aug 05, 2006
Posts: 637
I have one question here.
How should i design the sign out or log out?
Do i need to clear/delete the JSESSIONID cookie, If yes how can i do this? I know we have Cookie API, but how can i get the excat cookie for a specific session?
Frank Eichfelder
Ranch Hand

Joined: Aug 25, 2003
Posts: 33
Just call

This will invalidate the session on the server, therefore you don't have to care about the session cookie.
Deepak Jain
Ranch Hand

Joined: Aug 05, 2006
Posts: 637
Damn, I forgot my Session APIs
Deepak Jain
Ranch Hand

Joined: Aug 05, 2006
Posts: 637
I am using Web container based session as described above posts.
I need to display Sign in or Sign Out and hence i tried the below code


But the problem is the if condition always evaluates to true. How can i determine if the session does not exists and so i can display Sign in and once the user signs in and a session is created i want to display Sign Out

I even tried session.isNew() .


Even if i enter wrong credentials session.isNew() method returns false and i see sign out , when i should have seen sign in as i never entered the correct credentials.
Mohamed Inayath
Ranch Hand

Joined: Nov 22, 2004
Posts: 124
request.getSession(false) will only return NULL when the request has no valid HttpSession.

So its not always return true.

Yes if you have disabled the cookie could be possible.


session.isNew() will returns true if the client does not have a session.

Again if the user has disabled the use of cookies, then a session would be new on each request.

So have a look the way you are at the client end.
Deepak Jain
Ranch Hand

Joined: Aug 05, 2006
Posts: 637
thanks for your reply.
I understand the functionality but the thing how should i get signin/signout working?
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 39547
    
  27
It looks to me like the logic on both code snippets you posted is incorrect. In the first case, if there is no session, then you want to display "sign in", not "sign out". In the second case, if isNew returns true, then a session has just been created, and so presumably the user credentials were OK - in which case "sign out" should be displayed, not "sign in".
Mohamed Inayath
Ranch Hand

Joined: Nov 22, 2004
Posts: 124
1. Are you using the functionality with cookie enabled.
2. Are you using on custom cookie.


Deepak Jain
Ranch Hand

Joined: Aug 05, 2006
Posts: 637
1)Are you using the functionality with cookie enabled. -- YES, cookies are enabled on my browser. To logout, currently am clearing the browser cookes, thereby when i key in the URL for my webapp it shows the login screen. Hence i need a Sign Out link.
2) Are you using on custom cookie. No am not using custom cookies. Am using Container based authentication and authorization. (As described in the Head first servlets and jsp : Security Chapter).


I want to show a sign out link so that user can click on it and next time he/she points the browser to my web app, the container throws them with a login screen. I do not want a sign in link as it does not make sense in my scenario.

I) I have a header.jsp (Which displays normal headings and i want a sign out link at the right corner). Since header.jsp is common to
a) Login Page login.jsp
b) Rest of the application JSPs that shows the webapp.
I wanted to implement Sign Out link in header.jsp
Hence in header.jsp what conditions should i check so that I can display Sign Out href.
II) Further, I have the href pointed to signout.jsp that has the following code

I am hoping the above forward will throw a login screen since the session is already invalidated.

All the things that i have mentioned above are note working.
Can you guys help me with this.
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 39547
    
  27
You shouldn't keep any of this logic in JSPs. It belongs in a servlet where you can ascertain what the request has -session, cookies, credentials etc.- and then take appropriate action based upon that.
Mohamed Inayath
Ranch Hand

Joined: Nov 22, 2004
Posts: 124
You can have a SIGNOUT/LOGOUT link in the header.jsp
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: Unable to get authentication and authorization working.
 
Similar Threads
How to change response from Https to Http
WebLogic Form-Based Authentication Problem
How to Secure a Struts application using Form Based Authentication
Adding users and roles
How to change response from Https to Http