• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

Unable to get authentication and authorization working.

 
Ranch Hand
Posts: 637
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hello ranchers,
I was trying the security stuff mentioned in chapter 12 of Head first servlets and JSP. I was trying to desing a login screen with form based authentication. (basic authentication was not working).

web.xml



My webapp is deployed as "testtool", Now i want to constraint all the resources that are persent in the testool and hence you will see the url-pattern defined in the security constraint element.

1) What is wrong? When i access the URL http://localhost:8080/testtool/ , i get the below error

HTTP Status 404 - /testtool/
type Status report
message /testool/
description The requested resource (/testool/) is not available.


If i access one of the internal pages present in the JSP, It shows up without asking for authentication. I was expecting because of the security constraint elements defined, any request to the resources would be intercepted with the form based authentication. Can anyone figure out why is this not working?
 
Ranch Hand
Posts: 69
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi
Here it seems every thing is OK.

Did you define the role in your server.

If you are using the tomcat, you should define the role in tomcat-users.xml file.

If you done the above step try to check once agin and just remove the <user-data-constraint> entry in web.xml(it's just a testing).


Did you define the lign and error pages in your application?

 
Deepak Jain
Ranch Hand
Posts: 637
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I changed the login-config as below



So that atleast the browser asks for credentials, but no. It does not work.
Yes i had defined the role in the tomcat-users.xml.


One more question.
Is this a good idea to build authentication and authorization ? If not should i be using JAAS? If yes can you point me to some simple sample code to achieve it.
 
Rancher
Posts: 43081
77
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

When i access the URL http://localhost:8080/testtool/ , i get the below error

HTTP Status 404 - /testtool/
type Status report
message /testool/
description The requested resource (/testool/) is not available.


There's a disconnect somewhere here. The URL you mention contains testtool, yet the error message mentions testool.

Is this a good idea to build authentication and authorization ? If not should i be using JAAS? If yes can you point me to some simple sample code to achieve it.


JAAS is not part of the SCWCD, so you don't need to worry about it. And no, there are no simple examples using JAAS - it is by its nature not simple. But it's also something that for pure web apps you generally don't need. And yes, people often find the built-in authentication/authorization stuff insufficient and build their own; it's not that hard.
 
Deepak Jain
Ranch Hand
Posts: 637
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I got the authentication and authorization working using Dabase realm and tomcat web container.
Now am facing a new issue
In case i include

Upon requesting a constraint resource like http://localhost:8080/testtool , as expected the web container redirects to https://localhost:8443/testtool and the web page shows the following error


This webpage is not available.
The webpage at https://localhost:8443/testtool might be temporarily down or it may have moved permanently to a new web address.



As you see its must for me to include user data constraint for obvious security reasons. Can anyone let me know whats going on.
 
Ulf Dittmer
Rancher
Posts: 43081
77
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

https://localhost:8443/testtool/


Can you access that page directly, meaning, is SSL set up correctly on the server? If not, see http://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html for the steps to follow.
 
Deepak Jain
Ranch Hand
Posts: 637
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Yes i tried accessing https://localhost:8443/testtool/ directly through a browser, and it says This webpage is not available.
I hope the document that you have shared has all the details to fix this.

I had few queries
a) Where does the credentials get stored on the client side? I am suspecting as a cookie?
b) If the credentials are saved as a cookie then are they plain text ?
c) If i use user-data-constraint tag then will the credentials get saved in encrypted way ?

Thanks for your time. I really appreciate.
 
Deepak Jain
Ranch Hand
Posts: 637
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Any suggestions how to get user-data-constraint working?
 
Ulf Dittmer
Rancher
Posts: 43081
77
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
How have you set up SSL? Did you follow all the steps listed on that page?
 
Deepak Jain
Ranch Hand
Posts: 637
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I completely forgot that you had replied to my question. Am sorry for that.
I will read that document and try it out.
Thanks for replying again.
 
Deepak Jain
Ranch Hand
Posts: 637
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Thanks a lot, got it working.
After getting everything to work on my dev box, I got stuck into another problem at the so called production box(linux).

I do not have write permissions to the following directories under tomcat installation directory

bin common conf doc LICENSE logs RELEASE-NOTES RUNNING.txt server shared temp webapps work


I have access to the following folders
conf hiberbate.log logs temp webapps work

I am using database realm and hence i have modified the server.xml as follows

<Realm className="org.apache.catalina.realm.JDBCRealm" debug="99" driverName="com.mysql.jdbc.Driver" connectionURL="jdbc:mysql://localhost/rsvp?user=root&password=root" connectionName="root" connectionPassword="root" userTable="users" userNameCol="user_name" userCredCol="user_pass" userRoleTable="user_roles" roleNameCol="role_name" />

At tomcat startup , I get the following exception with org.gjt.mm.mysql.Driver, com.mysql.jdbc.Drive and java.sql.Driver (Changed the drivers each time)

This is because somehow the tomcat at startup is not able to find the driver class ( I have not placed the correponding jar files under the server/lib or common/lib becuase i do not have write permission).
I have a script file that starts the tomcat , and hence i modified the file to include the jar file before starting tomcat as follows



The path "/data/temp/appserver/tomcat-based/server/webapps/mytool/WEB-INF/lib/mysql-connector-java-5.0.6.jar" is correct and does point to the jar file.

Is there a way to get it working without touching "bin common conf doc LICENSE logs RELEASE-NOTES RUNNING.txt server shared temp webapps work" under jakarta-tomcat5 as i do not have write permissions.
Help is appreciated.
 
Ulf Dittmer
Rancher
Posts: 43081
77
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
(Moving this to the servlet forum, as it has nothing to do with the exam any more.)

I'd have the server admin put the jar file into TOMCAT_HOME/server/lib. That's much better than to alter the startup script.
 
Deepak Jain
Ranch Hand
Posts: 637
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Yes it does not have to do anything with exam anymore.
Thanks.
 
Deepak Jain
Ranch Hand
Posts: 637
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I have one question here.
How should i design the sign out or log out?
Do i need to clear/delete the JSESSIONID cookie, If yes how can i do this? I know we have Cookie API, but how can i get the excat cookie for a specific session?
 
Ranch Hand
Posts: 33
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Just call

This will invalidate the session on the server, therefore you don't have to care about the session cookie.
 
Deepak Jain
Ranch Hand
Posts: 637
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Damn, I forgot my Session APIs
 
Deepak Jain
Ranch Hand
Posts: 637
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I am using Web container based session as described above posts.
I need to display Sign in or Sign Out and hence i tried the below code


But the problem is the if condition always evaluates to true. How can i determine if the session does not exists and so i can display Sign in and once the user signs in and a session is created i want to display Sign Out

I even tried session.isNew() .


Even if i enter wrong credentials session.isNew() method returns false and i see sign out , when i should have seen sign in as i never entered the correct credentials.
 
Ranch Hand
Posts: 124
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
request.getSession(false) will only return NULL when the request has no valid HttpSession.

So its not always return true.

Yes if you have disabled the cookie could be possible.


session.isNew() will returns true if the client does not have a session.

Again if the user has disabled the use of cookies, then a session would be new on each request.

So have a look the way you are at the client end.
 
Deepak Jain
Ranch Hand
Posts: 637
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
thanks for your reply.
I understand the functionality but the thing how should i get signin/signout working?
 
Ulf Dittmer
Rancher
Posts: 43081
77
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
It looks to me like the logic on both code snippets you posted is incorrect. In the first case, if there is no session, then you want to display "sign in", not "sign out". In the second case, if isNew returns true, then a session has just been created, and so presumably the user credentials were OK - in which case "sign out" should be displayed, not "sign in".
 
Mohamed Inayath
Ranch Hand
Posts: 124
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
1. Are you using the functionality with cookie enabled.
2. Are you using on custom cookie.


 
Deepak Jain
Ranch Hand
Posts: 637
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
1)Are you using the functionality with cookie enabled. -- YES, cookies are enabled on my browser. To logout, currently am clearing the browser cookes, thereby when i key in the URL for my webapp it shows the login screen. Hence i need a Sign Out link.
2) Are you using on custom cookie. No am not using custom cookies. Am using Container based authentication and authorization. (As described in the Head first servlets and jsp : Security Chapter).


I want to show a sign out link so that user can click on it and next time he/she points the browser to my web app, the container throws them with a login screen. I do not want a sign in link as it does not make sense in my scenario.

I) I have a header.jsp (Which displays normal headings and i want a sign out link at the right corner). Since header.jsp is common to
a) Login Page login.jsp
b) Rest of the application JSPs that shows the webapp.
I wanted to implement Sign Out link in header.jsp
Hence in header.jsp what conditions should i check so that I can display Sign Out href.
II) Further, I have the href pointed to signout.jsp that has the following code

I am hoping the above forward will throw a login screen since the session is already invalidated.

All the things that i have mentioned above are note working.
Can you guys help me with this.
 
Ulf Dittmer
Rancher
Posts: 43081
77
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
You shouldn't keep any of this logic in JSPs. It belongs in a servlet where you can ascertain what the request has -session, cookies, credentials etc.- and then take appropriate action based upon that.
 
Mohamed Inayath
Ranch Hand
Posts: 124
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
You can have a SIGNOUT/LOGOUT link in the header.jsp
 
Trust God, but always tether your camel... to this tiny ad.
a bit of art, as a gift, that will fit in a stocking
https://gardener-gift.com
reply
    Bookmark Topic Watch Topic
  • New Topic