This week's book giveaway is in the Java 8 forum.
We're giving away four copies of Java 8 in Action and have Raoul-Gabriel Urma, Mario Fusco, and Alan Mycroft on-line!
See this thread for details.
The moose likes Servlets and the fly likes How to configure multiple security-constraint elements in web.xml Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Java 8 in Action this week in the Java 8 forum!
JavaRanch » Java Forums » Java » Servlets
Bookmark "How to configure multiple security-constraint elements in web.xml" Watch "How to configure multiple security-constraint elements in web.xml" New topic
Author

How to configure multiple security-constraint elements in web.xml

Snehitha Prasad
Ranch Hand

Joined: Jul 06, 2012
Posts: 32
Hi All,

I am trying to set up restricted access to several pages within the =
same engine context.

I have a web.xml file within the WEB-INF folder, and can get a single =
security constraint to work OK. When I try and set up a second one, =
nothing happens, and the second constraint is never respected.

The current web.xml is pasted below.

<!--web.xml-->

<web-app xmlns="http://java.sun.com/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
version="2.5">
<servlet>
<servlet-name>LoginServlet</servlet-name>
<servlet-class>com.bpa.webappsec.servlet.LoginServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>LoginServlet</servlet-name>
<url-pattern>/LoginServlet</url-pattern>
</servlet-mapping>

<login-config>
<auth-method>FORM</auth-method>
<realm-name>Example Form-Based Authentication Area</realm-name>
<form-login-config>
<form-login-page>/check.jsp</form-login-page>
<form-error-page>/error.jsp</form-error-page>
</form-login-config>
</login-config>


<security-constraint>
<display-name>Example Security Constraint</display-name>
<web-resource-collection>
<web-resource-name>Protected Area</web-resource-name>
<url-pattern>/welcome.jsp</url-pattern>

<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>Admin</role-name>
<role-name>role1</role-name>
</auth-constraint>
</security-constraint>

<security-constraint>
<display-name>Example Security</display-name>
<web-resource-collection>
<web-resource-name>Protected Area2</web-resource-name>

<url-pattern>/Logout.jsp</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>Admin</role-name>
<role-name>role1</role-name>
</auth-constraint>
</security-constraint>




<security-role>
<role-name>role1</role-name>
</security-role>
<security-role>
<role-name>Admin</role-name>
</security-role>

</web-app>

Can anyone please give me suggestion on this.

Thanks in Advance,
SNEHITHAPRASAD


sai rama krishna
Ranch Hand

Joined: May 29, 2009
Posts: 160
which security constraint did not work.
Snehitha Prasad
Ranch Hand

Joined: Jul 06, 2012
Posts: 32
Hi

The second security constraint Logout.jsp is not working.Can you please tell me where is the problem.

Thanks,
Prasad A.
sai rama krishna
Ranch Hand

Joined: May 29, 2009
Posts: 160
I see role-name is repeated and is same in both places
Snehitha Prasad
Ranch Hand

Joined: Jul 06, 2012
Posts: 32
Hi Sai Rama Krishna,

Thanks for your immediate response.But if wrote the code in the following manner also Logout.jsp is not restricted.Instead of showing the form page which gives 403 error.
The code is as follows.

<!--web.xml-->
<web-app xmlns="http://java.sun.com/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
version="2.5">
<servlet>
<servlet-name>LoginServlet</servlet-name>
<servlet-class>com.bpa.webappsec.servlet.LoginServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>LoginServlet</servlet-name>
<url-pattern>/LoginServlet</url-pattern>
</servlet-mapping>

<login-config>
<auth-method>FORM</auth-method>
<realm-name>Example Form-Based Authentication Area</realm-name>
<form-login-config>
<form-login-page>/check.jsp</form-login-page>
<form-error-page>/error.jsp</form-error-page>
</form-login-config>
</login-config>


<security-constraint>
<display-name>Example Security Constraint</display-name>
<web-resource-collection>
<web-resource-name>Protected Area</web-resource-name>
<url-pattern>/welcome.jsp</url-pattern>

<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>Admin</role-name>

</auth-constraint>
</security-constraint>


<security-constraint>
<display-name>Example Security Constraint</display-name>
<web-resource-collection>
<web-resource-name>Protected Area1</web-resource-name>
<url-pattern>/Logout.jsp</url-pattern>

<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>role1</role-name>

</auth-constraint>
</security-constraint>



<security-role>
<role-name>role1</role-name>
</security-role>
<security-role>
<role-name>Admin</role-name>
</security-role>

</web-app>


Thanks in Advance,
SNEHITHAPRASAD
sai rama krishna
Ranch Hand

Joined: May 29, 2009
Posts: 160
Check this link
http://docs.oracle.com/javaee/5/tutorial/doc/bncbe.html
Snehitha Prasad
Ranch Hand

Joined: Jul 06, 2012
Posts: 32
Hi Sai Ram krishna,

I Read the details of web security in the link that you provided.What i wrote in my code is same as per the standards.
But still i can't get where is the problem.If i restricted all the pages with in my web application also ,which is restricting for the first requested page only.
I am still shocking in this.This is my updated code.Just verify and kindly give me solution on this.

<!--web.xml-->
<web-app xmlns="http://java.sun.com/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
version="2.5">
<servlet>
<servlet-name>LoginServlet</servlet-name>
<servlet-class>com.bpa.webappsec.servlet.LoginServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>LoginServlet</servlet-name>
<url-pattern>/LoginServlet</url-pattern>
</servlet-mapping>

<login-config>
<auth-method>FORM</auth-method>
<realm-name>Example Form-Based Authentication Area</realm-name>
<form-login-config>
<form-login-page>/check.jsp</form-login-page>
<form-error-page>/error.jsp</form-error-page>
</form-login-config>
</login-config>

<security-constraint>
<web-resource-collection>
<web-resource-name>Protected Area</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>

<auth-constraint>
<role-name>Admin</role-name>
</auth-constraint>
</security-constraint>

<security-role>
<role-name>role1</role-name>
</security-role>
<security-role>
<role-name>Admin</role-name>
</security-role>

</web-app>




Thanks in Advance,

SNEHITHAPRASAD
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: How to configure multiple security-constraint elements in web.xml
 
Similar Threads
he doesn't ask for authenticate
HTTP Status 403 Access to the requested resource has been denied
How to: use Form based auth via JDBCRealm:oracle in Glassfish 3.0
Redirection after realm authentication
Form Authentication not working