GeeCON Prague 2014*
The moose likes Other Java Products and Servers and the fly likes Declarative Security with Java EE (Glassfish) Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


JavaRanch » Java Forums » Products » Other Java Products and Servers
Bookmark "Declarative Security with Java EE (Glassfish)" Watch "Declarative Security with Java EE (Glassfish)" New topic
Author

Declarative Security with Java EE (Glassfish)

Terence Gronowski
Ranch Hand

Joined: Dec 19, 2007
Posts: 64
I want a simple example of a secured folder of a JSP application. The folder named "admin" should be accessed only by a user named "verwalter" (I dont use the user named "admin" as there ist already such a user in Glassfish).

I program an app with an index.jsp. There is a link to the a subfolder admin to the file adminSeite.html. Besides the index.jsp there are login.jsp and error.jsp. login jsp has the following form in it:




error.jsp tells if entry fails.

In the Glassfish-Console (localhost:4848) I declare a user "verwalter" with password "verwalter" in the realm "file". I create a group "verwalterGruppe" with a random name. Here it is not possible to assign the user to a role (although some EE tutorials say that roles are defined in Glassfish)

web.xml: Definition of roles (to my opinion) and resources (paths):



sun-web.xml: mapping role defined in web.xml to user and group defined in admin console of glassfish.

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE sun-web-app PUBLIC "-//Sun Microsystems, Inc.//DTD GlassFish Application Server 3.0 Servlet 3.0//EN" "http://www.sun.com/software/appserver/dtds/sun-web-app_3_0-0.dtd">
<sun-web-app error-url="">
<context-root>/VerzeichnisSchutz</context-root>
<security-role-mapping>
<role-name>adminRolle</role-name>
<principal-name>verwalter</principal-name>
<group-name>verwalterGruppe</group-name>
</security-role-mapping>
<class-loader delegate="true"/>
<jsp-config>
<property name="keepgenerated" value="true">
<description>Keep a copy of the generated servlet class' java code.</description>
</property>
</jsp-config>
</sun-web-app>

If I want to run the app, I cannot login with user verwalter and pass verwalter. The indicated url is:

http://localhost:8080/VerzeichnisSchutz/admin/j_security_chek

I am not sure about the definition of roles and resouces. Are roles defined in web.xml, or are there predifined roles in Glassfish (admin and user), as many tutorials suggest? My I name resources deliberately?

Somebody can help me?


Docendo discimus (we learn by teaching)
SCJP 5 Zertifizierung, Vorbereitungsbuch; SCJP 6 Zertifizierung, Vorbereitungsbuch

Terence Gronowski
Ranch Hand

Joined: Dec 19, 2007
Posts: 64
Is there nobody using Java EE6 declarative security? Is there anybody who works with Netbeans 6.9.1?

In the meantime I think that the non functionning of Declarative Security does not work in Netbeans 6.9.1.

I will report a bug.

Netbeans is a very cool tool, if only these many errors would not be!!!
Terence Gronowski
Ranch Hand

Joined: Dec 19, 2007
Posts: 64
I at last found the error. The form I used hat a small error.

<form action="j_security_check" method="post">
Username: <input type="text" name="j_username">

Passwort: <input type="password" name="j_password">
<input type="submit" value="Login">
</form>

I just had "value="submit", that was fatal.

Second I suppose that the role name must be written with a first big letter.

web.xml

<?xml version="1.0" encoding="UTF-8"?>
<web-app version="3.0" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd">
<session-config>
<session-timeout>
30
</session-timeout>
</session-config>
<security-constraint>
<display-name>AdminDisplay</display-name>
<web-resource-collection>
<web-resource-name>WebResource</web-resource-name>
<description/>
<url-pattern>/verwaltungsOrdner/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<description>ConstraintBeschreibung</description>
<role-name>AdminRolle</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<realm-name>file</realm-name>
<form-login-config>
<form-login-page>/login.jsp</form-login-page>
<form-error-page>/loginFehler.html</form-error-page>
</form-login-config>
</login-config>
<security-role>
<description/>
<role-name>AdminRolle</role-name>
</security-role>
</web-app>

and sun-web.xml

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE sun-web-app PUBLIC "-//Sun Microsystems, Inc.//DTD GlassFish Application Server 3.0 Servlet 3.0//EN" "http://www.sun.com/software/appserver/dtds/sun-web-app_3_0-0.dtd">
<sun-web-app error-url="">
<context-root>/Schutz_1</context-root>
<security-role-mapping>
<role-name>AdminRolle</role-name>
<principal-name>verwalter</principal-name>
</security-role-mapping>
<class-loader delegate="true"/>
<jsp-config>
<property name="keepgenerated" value="true">
<description>Keep a copy of the generated servlet class' java code.</description>
</property>
</jsp-config>
</sun-web-app>

It was annoiing to find the error, because there were no error messages.
Terence Gronowski
Ranch Hand

Joined: Dec 19, 2007
Posts: 64
(sorry, I forgot to format code above)
I at last found the error. The form I used hat a small error.



I just had "value="submit", that was fatal.

Second I suppose that the role name must be written with a first big letter.

web.xml



and sun-web.xml



It was annoiing to find the error, because there were no error messages.
 
GeeCON Prague 2014
 
subject: Declarative Security with Java EE (Glassfish)