This week's book giveaway is in the General Computing forum.
We're giving away four copies of Arduino in Action and have Martin Evans, Joshua Noble, and Jordan Hochenbaum on-line!
See this thread for details.
The moose likes Servlets and the fly likes How to configure multiple security-constraint elements in web.xml Big Moose Saloon
  Search | Java FAQ | Recent Topics
Register / Login


Win a copy of Arduino in Action this week in the General Computing forum!

A special promo: Enter your blog post or vote on a blogger to be featured in an upcoming Journal
JavaRanch » Java Forums » Java » Servlets
Reply Bookmark "How to configure multiple security-constraint elements in web.xml" Watch "How to configure multiple security-constraint elements in web.xml" New topic
Author

How to configure multiple security-constraint elements in web.xml

Snehitha Prasad
Greenhorn

Joined: Jul 06, 2012
Posts: 24
posted private message
0
Quote
Hi All,

I am trying to set up restricted access to several pages within the =
same engine context.

I have a web.xml file within the WEB-INF folder, and can get a single =
security constraint to work OK. When I try and set up a second one, =
nothing happens, and the second constraint is never respected.

The current web.xml is pasted below.

<!--web.xml-->

<web-app xmlns="http://java.sun.com/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
version="2.5">
<servlet>
<servlet-name>LoginServlet</servlet-name>
<servlet-class>com.bpa.webappsec.servlet.LoginServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>LoginServlet</servlet-name>
<url-pattern>/LoginServlet</url-pattern>
</servlet-mapping>

<login-config>
<auth-method>FORM</auth-method>
<realm-name>Example Form-Based Authentication Area</realm-name>
<form-login-config>
<form-login-page>/check.jsp</form-login-page>
<form-error-page>/error.jsp</form-error-page>
</form-login-config>
</login-config>


<security-constraint>
<display-name>Example Security Constraint</display-name>
<web-resource-collection>
<web-resource-name>Protected Area</web-resource-name>
<url-pattern>/welcome.jsp</url-pattern>

<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>Admin</role-name>
<role-name>role1</role-name>
</auth-constraint>
</security-constraint>

<security-constraint>
<display-name>Example Security</display-name>
<web-resource-collection>
<web-resource-name>Protected Area2</web-resource-name>

<url-pattern>/Logout.jsp</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>Admin</role-name>
<role-name>role1</role-name>
</auth-constraint>
</security-constraint>




<security-role>
<role-name>role1</role-name>
</security-role>
<security-role>
<role-name>Admin</role-name>
</security-role>

</web-app>

Can anyone please give me suggestion on this.

Thanks in Advance,
SNEHITHAPRASAD


sai rama krishna
Ranch Hand

Joined: May 29, 2009
Posts: 133
posted private message
0
Quote
which security constraint did not work.
Snehitha Prasad
Greenhorn

Joined: Jul 06, 2012
Posts: 24
posted private message
0
Quote
Hi

The second security constraint Logout.jsp is not working.Can you please tell me where is the problem.

Thanks,
Prasad A.
sai rama krishna
Ranch Hand

Joined: May 29, 2009
Posts: 133
posted private message
0
Quote
I see role-name is repeated and is same in both places
Snehitha Prasad
Greenhorn

Joined: Jul 06, 2012
Posts: 24
posted private message
0
Quote
Hi Sai Rama Krishna,

Thanks for your immediate response.But if wrote the code in the following manner also Logout.jsp is not restricted.Instead of showing the form page which gives 403 error.
The code is as follows.

<!--web.xml-->
<web-app xmlns="http://java.sun.com/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
version="2.5">
<servlet>
<servlet-name>LoginServlet</servlet-name>
<servlet-class>com.bpa.webappsec.servlet.LoginServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>LoginServlet</servlet-name>
<url-pattern>/LoginServlet</url-pattern>
</servlet-mapping>

<login-config>
<auth-method>FORM</auth-method>
<realm-name>Example Form-Based Authentication Area</realm-name>
<form-login-config>
<form-login-page>/check.jsp</form-login-page>
<form-error-page>/error.jsp</form-error-page>
</form-login-config>
</login-config>


<security-constraint>
<display-name>Example Security Constraint</display-name>
<web-resource-collection>
<web-resource-name>Protected Area</web-resource-name>
<url-pattern>/welcome.jsp</url-pattern>

<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>Admin</role-name>

</auth-constraint>
</security-constraint>


<security-constraint>
<display-name>Example Security Constraint</display-name>
<web-resource-collection>
<web-resource-name>Protected Area1</web-resource-name>
<url-pattern>/Logout.jsp</url-pattern>

<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>role1</role-name>

</auth-constraint>
</security-constraint>



<security-role>
<role-name>role1</role-name>
</security-role>
<security-role>
<role-name>Admin</role-name>
</security-role>

</web-app>


Thanks in Advance,
SNEHITHAPRASAD
sai rama krishna
Ranch Hand

Joined: May 29, 2009
Posts: 133
posted private message
0
Quote
Check this link
http://docs.oracle.com/javaee/5/tutorial/doc/bncbe.html
Snehitha Prasad
Greenhorn

Joined: Jul 06, 2012
Posts: 24
posted private message
0
Quote
Hi Sai Ram krishna,

I Read the details of web security in the link that you provided.What i wrote in my code is same as per the standards.
But still i can't get where is the problem.If i restricted all the pages with in my web application also ,which is restricting for the first requested page only.
I am still shocking in this.This is my updated code.Just verify and kindly give me solution on this.

<!--web.xml-->
<web-app xmlns="http://java.sun.com/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
version="2.5">
<servlet>
<servlet-name>LoginServlet</servlet-name>
<servlet-class>com.bpa.webappsec.servlet.LoginServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>LoginServlet</servlet-name>
<url-pattern>/LoginServlet</url-pattern>
</servlet-mapping>

<login-config>
<auth-method>FORM</auth-method>
<realm-name>Example Form-Based Authentication Area</realm-name>
<form-login-config>
<form-login-page>/check.jsp</form-login-page>
<form-error-page>/error.jsp</form-error-page>
</form-login-config>
</login-config>

<security-constraint>
<web-resource-collection>
<web-resource-name>Protected Area</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>

<auth-constraint>
<role-name>Admin</role-name>
</auth-constraint>
</security-constraint>

<security-role>
<role-name>role1</role-name>
</security-role>
<security-role>
<role-name>Admin</role-name>
</security-role>

</web-app>




Thanks in Advance,

SNEHITHAPRASAD
 
I agree. Here's the link: http://zeroturnaround.com/jrebel - it saves me about five hours per week
 
subject: How to configure multiple security-constraint elements in web.xml
 
Similar Threads
he doesn't ask for authenticate
How to: use Form based auth via JDBCRealm:oracle in Glassfish 3.0
Redirection after realm authentication
HTTP Status 403 Access to the requested resource has been denied
Form Authentication not working