Win a copy of Think Java: How to Think Like a Computer Scientist this week in the Java in General forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

How to configure multiple security-constraint elements in web.xml

 
Snehitha Prasad
Ranch Hand
Posts: 32
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi All,

I am trying to set up restricted access to several pages within the =
same engine context.

I have a web.xml file within the WEB-INF folder, and can get a single =
security constraint to work OK. When I try and set up a second one, =
nothing happens, and the second constraint is never respected.

The current web.xml is pasted below.

<!--web.xml-->

<web-app xmlns="http://java.sun.com/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
version="2.5">
<servlet>
<servlet-name>LoginServlet</servlet-name>
<servlet-class>com.bpa.webappsec.servlet.LoginServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>LoginServlet</servlet-name>
<url-pattern>/LoginServlet</url-pattern>
</servlet-mapping>

<login-config>
<auth-method>FORM</auth-method>
<realm-name>Example Form-Based Authentication Area</realm-name>
<form-login-config>
<form-login-page>/check.jsp</form-login-page>
<form-error-page>/error.jsp</form-error-page>
</form-login-config>
</login-config>


<security-constraint>
<display-name>Example Security Constraint</display-name>
<web-resource-collection>
<web-resource-name>Protected Area</web-resource-name>
<url-pattern>/welcome.jsp</url-pattern>

<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>Admin</role-name>
<role-name>role1</role-name>
</auth-constraint>
</security-constraint>

<security-constraint>
<display-name>Example Security</display-name>
<web-resource-collection>
<web-resource-name>Protected Area2</web-resource-name>

<url-pattern>/Logout.jsp</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>Admin</role-name>
<role-name>role1</role-name>
</auth-constraint>
</security-constraint>




<security-role>
<role-name>role1</role-name>
</security-role>
<security-role>
<role-name>Admin</role-name>
</security-role>

</web-app>

Can anyone please give me suggestion on this.

Thanks in Advance,
SNEHITHAPRASAD


 
sai rama krishna
Ranch Hand
Posts: 424
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
which security constraint did not work.
 
Snehitha Prasad
Ranch Hand
Posts: 32
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi

The second security constraint Logout.jsp is not working.Can you please tell me where is the problem.

Thanks,
Prasad A.
 
sai rama krishna
Ranch Hand
Posts: 424
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I see role-name is repeated and is same in both places
 
Snehitha Prasad
Ranch Hand
Posts: 32
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi Sai Rama Krishna,

Thanks for your immediate response.But if wrote the code in the following manner also Logout.jsp is not restricted.Instead of showing the form page which gives 403 error.
The code is as follows.

<!--web.xml-->
<web-app xmlns="http://java.sun.com/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
version="2.5">
<servlet>
<servlet-name>LoginServlet</servlet-name>
<servlet-class>com.bpa.webappsec.servlet.LoginServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>LoginServlet</servlet-name>
<url-pattern>/LoginServlet</url-pattern>
</servlet-mapping>

<login-config>
<auth-method>FORM</auth-method>
<realm-name>Example Form-Based Authentication Area</realm-name>
<form-login-config>
<form-login-page>/check.jsp</form-login-page>
<form-error-page>/error.jsp</form-error-page>
</form-login-config>
</login-config>


<security-constraint>
<display-name>Example Security Constraint</display-name>
<web-resource-collection>
<web-resource-name>Protected Area</web-resource-name>
<url-pattern>/welcome.jsp</url-pattern>

<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>Admin</role-name>

</auth-constraint>
</security-constraint>


<security-constraint>
<display-name>Example Security Constraint</display-name>
<web-resource-collection>
<web-resource-name>Protected Area1</web-resource-name>
<url-pattern>/Logout.jsp</url-pattern>

<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>role1</role-name>

</auth-constraint>
</security-constraint>



<security-role>
<role-name>role1</role-name>
</security-role>
<security-role>
<role-name>Admin</role-name>
</security-role>

</web-app>


Thanks in Advance,
SNEHITHAPRASAD
 
sai rama krishna
Ranch Hand
Posts: 424
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Check this link
http://docs.oracle.com/javaee/5/tutorial/doc/bncbe.html
 
Snehitha Prasad
Ranch Hand
Posts: 32
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi Sai Ram krishna,

I Read the details of web security in the link that you provided.What i wrote in my code is same as per the standards.
But still i can't get where is the problem.If i restricted all the pages with in my web application also ,which is restricting for the first requested page only.
I am still shocking in this.This is my updated code.Just verify and kindly give me solution on this.

<!--web.xml-->
<web-app xmlns="http://java.sun.com/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
version="2.5">
<servlet>
<servlet-name>LoginServlet</servlet-name>
<servlet-class>com.bpa.webappsec.servlet.LoginServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>LoginServlet</servlet-name>
<url-pattern>/LoginServlet</url-pattern>
</servlet-mapping>

<login-config>
<auth-method>FORM</auth-method>
<realm-name>Example Form-Based Authentication Area</realm-name>
<form-login-config>
<form-login-page>/check.jsp</form-login-page>
<form-error-page>/error.jsp</form-error-page>
</form-login-config>
</login-config>

<security-constraint>
<web-resource-collection>
<web-resource-name>Protected Area</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>

<auth-constraint>
<role-name>Admin</role-name>
</auth-constraint>
</security-constraint>

<security-role>
<role-name>role1</role-name>
</security-role>
<security-role>
<role-name>Admin</role-name>
</security-role>

</web-app>




Thanks in Advance,

SNEHITHAPRASAD
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic