File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
The moose likes JBoss/WildFly and the fly likes Securing my web application on JBoss 5.1.0.GA Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login

Win a copy of Android Security Essentials Live Lessons this week in the Android forum!
JavaRanch » Java Forums » Products » JBoss/WildFly
Bookmark "Securing my web application on JBoss 5.1.0.GA" Watch "Securing my web application on JBoss 5.1.0.GA" New topic

Securing my web application on JBoss 5.1.0.GA

Mark E Hansen
Ranch Hand

Joined: Apr 01, 2009
Posts: 643
I'm working with a simple J2EE web application from a tutorial (EJB3, Servlet) and am learning how to secure the application using JAAS.

The problem I'm having is that I'm trying to indicate that a specific page must allow access only to users participating in a particular role.
I believe I must not be configuring the url-pattern properly. The page I'm trying to lock down is called "create_user.html", which is located in the root of my web application's WebContent directory. The page contains some data entry fields and a Submit button. The Submit button is associated with an HTML Form which has an action of "create_user". I see that in the application's servlet mapping that "/create_user" is mapped to the CreateUser servlet.

The result is that when I access the html page, I'm not asked for a password.

If I set the url-pattern to "/create_user", I am able to access the page, but get the authentication request when I post from the page to the servlet - which is too late. If I set the url-pattern to "/create_user.html", no authentication request happens at all. What am I doing wrong?

I have the following web.xml file:

Thank you for any help.
Mark E Hansen
Ranch Hand

Joined: Apr 01, 2009
Posts: 643
After more reading, I'm wondering if I misunderstood something. Does the <security-constraint> element in the web.xml file only apply to servlets within the web application, and not to simple HTML pages?

For reference, here is the segment from the web.xml file:

Is the <url-pattern> element applied only to servlets?

If so, how do I restrict access to an HTML page?

Mark E Hansen
Ranch Hand

Joined: Apr 01, 2009
Posts: 643
Sorry to answer my own post. I was having a problem getting my head around it. I think I've figured it out, and wanted to post it here in case anyone else was looking for the same information - or in case I'm off-base and someone can correct me.

The <url-pattern> in the <web-resource-collection> under the <security-contraint> element can use file name patterns (such as *.html) or directory path patterns (such as /foo/bar/*) (to name just two). Because all my HTML files were in the root of the web application, I was limited to specifying either /* or *.html. Both of which applied the security restrictions to all HTML files, not just the one I wanted.

What I did was to move my restricted HTML page to a sub-directory in the web application, named "authorized". Then I created a <url-pattern> entry of:

With this, I'm able to access the other HTML pages in the application without authenticating, but an attempt to access the restricted HTML page results in an authentication challenge.

In reading the documentation, it seems that I should be able to create a <url-pattern> that will be matched exactly, but creating one like:

did not work. I'm not sure why.

I agree. Here's the link:
subject: Securing my web application on JBoss 5.1.0.GA
Similar Threads
How to: use Form based auth via JDBCRealm:oracle in Glassfish 3.0
Getting my web application to use the DatabaseServerLoginModule
he doesn't ask for authenticate
Having problem when using web.xml to provide login system to user.
Studying HeadFirst book: cannot make authentification