• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

How to configure multiple security-constraint elements in web.xml

 
Ranch Hand
Posts: 32
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi All,

I am trying to set up restricted access to several pages within the =
same engine context.

I have a web.xml file within the WEB-INF folder, and can get a single =
security constraint to work OK. When I try and set up a second one, =
nothing happens, and the second constraint is never respected.

The current web.xml is pasted below.

<!--web.xml-->

<web-app xmlns="http://java.sun.com/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
version="2.5">
<servlet>
<servlet-name>LoginServlet</servlet-name>
<servlet-class>com.bpa.webappsec.servlet.LoginServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>LoginServlet</servlet-name>
<url-pattern>/LoginServlet</url-pattern>
</servlet-mapping>

<login-config>
<auth-method>FORM</auth-method>
<realm-name>Example Form-Based Authentication Area</realm-name>
<form-login-config>
<form-login-page>/check.jsp</form-login-page>
<form-error-page>/error.jsp</form-error-page>
</form-login-config>
</login-config>


<security-constraint>
<display-name>Example Security Constraint</display-name>
<web-resource-collection>
<web-resource-name>Protected Area</web-resource-name>
<url-pattern>/welcome.jsp</url-pattern>

<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>Admin</role-name>
<role-name>role1</role-name>
</auth-constraint>
</security-constraint>

<security-constraint>
<display-name>Example Security</display-name>
<web-resource-collection>
<web-resource-name>Protected Area2</web-resource-name>

<url-pattern>/Logout.jsp</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>Admin</role-name>
<role-name>role1</role-name>
</auth-constraint>
</security-constraint>




<security-role>
<role-name>role1</role-name>
</security-role>
<security-role>
<role-name>Admin</role-name>
</security-role>

</web-app>

Can anyone please give me suggestion on this.

Thanks in Advance,
SNEHITHAPRASAD


 
Ranch Hand
Posts: 930
2
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
which security constraint did not work.
 
Snehitha Prasad
Ranch Hand
Posts: 32
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi

The second security constraint Logout.jsp is not working.Can you please tell me where is the problem.

Thanks,
Prasad A.
 
sai rama krishna
Ranch Hand
Posts: 930
2
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I see role-name is repeated and is same in both places
 
Snehitha Prasad
Ranch Hand
Posts: 32
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi Sai Rama Krishna,

Thanks for your immediate response.But if wrote the code in the following manner also Logout.jsp is not restricted.Instead of showing the form page which gives 403 error.
The code is as follows.

<!--web.xml-->
<web-app xmlns="http://java.sun.com/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
version="2.5">
<servlet>
<servlet-name>LoginServlet</servlet-name>
<servlet-class>com.bpa.webappsec.servlet.LoginServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>LoginServlet</servlet-name>
<url-pattern>/LoginServlet</url-pattern>
</servlet-mapping>

<login-config>
<auth-method>FORM</auth-method>
<realm-name>Example Form-Based Authentication Area</realm-name>
<form-login-config>
<form-login-page>/check.jsp</form-login-page>
<form-error-page>/error.jsp</form-error-page>
</form-login-config>
</login-config>


<security-constraint>
<display-name>Example Security Constraint</display-name>
<web-resource-collection>
<web-resource-name>Protected Area</web-resource-name>
<url-pattern>/welcome.jsp</url-pattern>

<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>Admin</role-name>

</auth-constraint>
</security-constraint>


<security-constraint>
<display-name>Example Security Constraint</display-name>
<web-resource-collection>
<web-resource-name>Protected Area1</web-resource-name>
<url-pattern>/Logout.jsp</url-pattern>

<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>role1</role-name>

</auth-constraint>
</security-constraint>



<security-role>
<role-name>role1</role-name>
</security-role>
<security-role>
<role-name>Admin</role-name>
</security-role>

</web-app>


Thanks in Advance,
SNEHITHAPRASAD
 
sai rama krishna
Ranch Hand
Posts: 930
2
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Check this link
http://docs.oracle.com/javaee/5/tutorial/doc/bncbe.html
 
Snehitha Prasad
Ranch Hand
Posts: 32
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi Sai Ram krishna,

I Read the details of web security in the link that you provided.What i wrote in my code is same as per the standards.
But still i can't get where is the problem.If i restricted all the pages with in my web application also ,which is restricting for the first requested page only.
I am still shocking in this.This is my updated code.Just verify and kindly give me solution on this.

<!--web.xml-->
<web-app xmlns="http://java.sun.com/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
version="2.5">
<servlet>
<servlet-name>LoginServlet</servlet-name>
<servlet-class>com.bpa.webappsec.servlet.LoginServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>LoginServlet</servlet-name>
<url-pattern>/LoginServlet</url-pattern>
</servlet-mapping>

<login-config>
<auth-method>FORM</auth-method>
<realm-name>Example Form-Based Authentication Area</realm-name>
<form-login-config>
<form-login-page>/check.jsp</form-login-page>
<form-error-page>/error.jsp</form-error-page>
</form-login-config>
</login-config>

<security-constraint>
<web-resource-collection>
<web-resource-name>Protected Area</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>

<auth-constraint>
<role-name>Admin</role-name>
</auth-constraint>
</security-constraint>

<security-role>
<role-name>role1</role-name>
</security-role>
<security-role>
<role-name>Admin</role-name>
</security-role>

</web-app>




Thanks in Advance,

SNEHITHAPRASAD
 
reply
    Bookmark Topic Watch Topic
  • New Topic