File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
http://aspose.com/file-tools
The moose likes Tomcat and the fly likes BASIC Authentication and SSL configuration failed in Tomcat 6.0 Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Products » Tomcat
Bookmark "BASIC Authentication and SSL configuration failed in Tomcat 6.0" Watch "BASIC Authentication and SSL configuration failed in Tomcat 6.0" New topic
Author

BASIC Authentication and SSL configuration failed in Tomcat 6.0

Anthony D'Souz
Ranch Hand

Joined: Oct 13, 2011
Posts: 62
Hi Folks,

The application is a simple JSP/Servlet application.I want to perform a user authentication (using BASIC Authentication) and if the user is authenticated, then I will redirect them to the home screen using SSL (i.e. https). The BASIC Authentication has to be performed on clicking a button. I have added the roles along with their username and password in the tomcat-users.xml, hence no need for Realm as of now.

For achieveing this; initially I configured the BASIC Authentication in my web.xml like this:

The user BASIC Authentcation part of the code works perfectly (the popup dialog appears asking for the username and password and it works fine)

Then I configured SSL by following the following steps:

1) Generated a Keystore using keytool 2) Added the below entry in the server.xml:

3) Added this in web.xml inside the

On running the application, below are the issues I have with it:

1) On clicking the button (for which the BASIC authentication has to be performed), the dialog for authentication did not appeared (which appears for BASIC Authentication asking for username and password)

2) I was redirected to a link with https (yes the https appeared in the url) with GET and the doGet() method of the servlet gets executed which is incorrect since the submit button form is like this, henc the doPost method should be executed rather than the doGet:

Please let me know where are the issues and how to resolve it to achieve what I am expecting.
Thanks,
Tim Holloway
Saloon Keeper

Joined: Jun 25, 2001
Posts: 15641
    
  15

You misunderstand how J2EE applies security. You cannot "click a button" to force login. Login is automatically invoked ANY time the user is not logged in (authenticated) and requests a secured URL. That prevents the very common failing of Do-It-Yourself security systems where people simply jump around the "login page".

Also, the login acts as a gateway to the requested page (URL). If login succeeds, then the requested URL is processed. The only way to force redirection to an alternative page is to hack things. There is no "login event handler". In large part, because J2EE supports site logins, where the user may have logged in with a central security administration system at some earlier time (Single Signon), and the server will honor that operation instead of annoying the user with a separate login demand for each and every application (which can be especially annoying when it's a portal app).

I'm not a big fan of logins forcing me to another page myself, because I have a fondness for "bookmarking" commonly-used URLs and short-circuiting the bookmarks is a rude thing to do.


Customer surveys are for companies who didn't pay proper attention to begin with.
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: BASIC Authentication and SSL configuration failed in Tomcat 6.0
 
Similar Threads
Webapp-Security chapter revision notes from HFSJ , may be useful
<login-config> in DD
Adding users and roles
How to add authentication on my jsp page
JBOSS web logon not redirecting from port 8080 to 8443 at login