File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
http://aspose.com/file-tools
The moose likes Web Component Certification (SCWCD/OCPJWCD) and the fly likes <auth-constraint> in web.xml Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Android Security Essentials Live Lessons this week in the Android forum!
JavaRanch » Java Forums » Certification » Web Component Certification (SCWCD/OCPJWCD)
Bookmark "<auth-constraint> in web.xml" Watch "<auth-constraint> in web.xml" New topic
Author

<auth-constraint> in web.xml

Shashank Sharma
Ranch Hand

Joined: Sep 27, 2006
Posts: 91
Hello,
I am reading through web app security of HFJS I could add an constraint for certain url pattern through <security-constraint> tags in DD.So it would restrict me to request a constraint resource.
I am not able to understand how the user roles of apache tomcat will authorize the request.We can login to one for the tomcat account to manage the app and check the active session for the app..but it does not allows me acces a constraint resourse if I am logged in as a admin too.
>auth-constraint> lists roles which can do a Get or a Post request.
I have >auth-constraint> as


Can Anyone please explain how this authorization is done.
Thanks ..
Shashank Sharma
Ranch Hand

Joined: Sep 27, 2006
Posts: 91
moving on..


These are the username and role mapping in tomcat-user.xml file

and I am trying to use form authorization as

on using user name and password as above it always get redirected to the login Error page.
the web xml is as under.




Frits Walraven
Creator of Enthuware JWS+ V6
Bartender

Joined: Apr 07, 2010
Posts: 1644
    
  24

just remove the <user-data-constraint> as it requires you to setup the https port on tomcat and try again.

Regards,
Frits
Shashank Sharma
Ranch Hand

Joined: Sep 27, 2006
Posts: 91
Hello,

Thanks you for your response.
I have tried that. it redirects the page to the login error page.
It means it is not able to match the username password specified in the tomcat-users.xml with the ones that I am passing on the login page.
And am using login config which specifies the login page for authentication and an errorPage if incorrect authentication information is passed .

but what it is supposed to do If the credentials are correct.
I could answer most of the question at the end of the chapter.but that is no use unless I am able to implement the security constraints.
Frits It would be great If you could explain a bit on the constraint part which I am not able to get through the book.


Thanks .
Frits Walraven
Creator of Enthuware JWS+ V6
Bartender

Joined: Apr 07, 2010
Posts: 1644
    
  24

I have tried that. it redirects the page to the login error page.

What is the URL you are using?

but what it is supposed to do If the credentials are correct.

If the credentials are correct you should let the user access your "protected" servlets. This is part of Authorisation, whereas checking the credentials is part of Authentication.

In other words: Authentication is: "do I (as a server) know you": if not, go and play somewhere else...
and Authorisation is about: if I know you, what parts of the application are you allowed to access

You configure Authentication with the <login-config> element and Authorization with the <security-constraint> element. The roles playing part in your web-app should be configured in the <security-role> element (which I am not seeing in your web.xml....) and the user-to-role mapping is Servlet-container specific and for tomcat done in tomcat-users.xml file (like you did)

Your web.xml has a <security-constraint> on <url-pattern>*.do</url-pattern> which maps to the Test001 Servlet, meaning all the URLs starting with http://localhost:8080/YourWebAppRoot/ and ending with .do, so for example:
http://localhost:8080/YourWebAppRoot/Test001.do should go to your Servlet com.Test001 (as you have defined in your web.xml)

Does this explain things a bit? If you are still having problems with the code example, just post the rest of your code (your web app root, and the directory structure of your web-app)


Regards,
Frits
 
jQuery in Action, 2nd edition
 
subject: <auth-constraint> in web.xml
 
Similar Threads
Roles and access Servlets, Jsp in Tomcat
Problem While Enabling Authentication
Using ROLES defined in a database in th DD
security-role
declarative authorization not working