File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
http://aspose.com/file-tools
The moose likes Security and the fly likes Implementing FORM Based Security Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Soft Skills this week in the Jobs Discussion forum!
JavaRanch » Java Forums » Engineering » Security
Bookmark "Implementing FORM Based Security" Watch "Implementing FORM Based Security" New topic
Author

Implementing FORM Based Security

Tarun Oohri
Ranch Hand

Joined: Feb 20, 2013
Posts: 180
Hello Everyone,
I am trying to implement FORM based security in my web application but i am unable to do so. Actually, i am not able to map my servlet from web.xml. I am using tomcat 6 , So cant use Annotations to map my servlet & if i map my servlet using <servlet> tag and <servlet-mapping> tag then the server directly execute the my servlet without going through the </security-constraint> and <login-config>. My code is as follows:

Web.xml file

DoSomethingServlet.java

authentication.html

authentication_error.html

tomcat-user.xml
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 42908
    
  69
You're mapping the servlet to /*, but you're only securing /DoSomethingServlet. So any URL but that specific one would not be secured, but can be used to access the servlet.

I think what you meant to do was to map the servlet to "/DoSomethingServlet".
Tarun Oohri
Ranch Hand

Joined: Feb 20, 2013
Posts: 180
Ulf Dittmer wrote:You're mapping the servlet to /*, but you're only securing /DoSomethingServlet. So any URL but that specific one would not be secured, but can be used to access the servlet.

I think what you meant to do was to map the servlet to "/DoSomethingServlet".


I have already tired doing that but no help .. Actually it is not able to fetch the start up file from web.xml ( ie. authentication.html). Following is the error i am getting :

HTTP Status 404 - /JavaWebSecurityPrj04/

The url showing is( http://localhost:8080/JavaWebSecurityPrj04/ ) BUT it should be like this in order to fetch the authentication.html file ( http://localhost:8080/JavaWebSecurityPrj04/authentication.html )

Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 42908
    
  69
So if I were to take all the files you posted, change line 10 of web.xml to "<url-pattern>/DoSomethingServlet</url-pattern>", install that as a web app called "JavaWebSecurityPrj04", and then accessed http://localhost:8080/JavaWebSecurityPrj04/DoSomethingServlet I would get a 404?

What do you mean by "startup file"? Do you mean welcome file? There is none configured in the web.xml.

Can you access the web app at all, for example a static HTML file in the root directoy? I'm now assuming that you no longer map security to "/*".
Tarun Oohri
Ranch Hand

Joined: Feb 20, 2013
Posts: 180
Ulf Dittmer wrote:So if I were to take all the files you posted, change line 10 of web.xml to "<url-pattern>/DoSomethingServlet</url-pattern>", install that as a web app called "JavaWebSecurityPrj04", and then accessed http://localhost:8080/JavaWebSecurityPrj04/DoSomethingServlet I would get a 404?

What do you mean by "startup file"? Do you mean welcome file? There is none configured in the web.xml.

Can you access the web app at all, for example a static HTML file in the root directoy? I'm now assuming that you no longer map security to "/*".


Yes, i meant welcome file only. It is configured in the <form-login-config> tag . When i explicitly execute that url given by you above i get the welcome page (ie. authentication.html ). but i want it to come automatically when i deploy my application on the server.
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 42908
    
  69
That's not a welcome file; welcome files are configured using <welcome-file-list>.

But I think you misunderstand how servlet security works - you would never link to the login page directly. The servlet container would show that to the user if he tried to access a protected resource.
Tarun Oohri
Ranch Hand

Joined: Feb 20, 2013
Posts: 180
Ulf Dittmer wrote:That's not a welcome file; welcome files are configured using <welcome-file-list>.

But I think you misunderstand how servlet security works - you would never link to the login page directly. The servlet container would show that to the user if he tried to access a protected resource.


Do you have any good links or tutorial from where i can understand it properly ?
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 42908
    
  69
The key thing to understand is that there is no login page that you would link to. You'd just put links to protected and unprotected resources alike, and then the servlet container will call the login page if the user tries to access a protected resource, and if the login is successful, will serve that resource.

Some links can be found here: http://www.coderanch.com/how-to/java/ServletsFaq#security
Tarun Oohri
Ranch Hand

Joined: Feb 20, 2013
Posts: 180
Ulf Dittmer wrote:The key thing to understand is that there is no login page that you would link to. You'd just put links to protected and unprotected resources alike, and then the servlet container will call the login page if the user tries to access a protected resource, and if the login is successful, will serve that resource.

Some links can be found here: http://www.coderanch.com/how-to/java/ServletsFaq#security


Thanks for your valuable comments. I am very anxious to implement the security in my application. It is very exciting stuff but struggling to get through. I will read the content you provided and try to learn it rightly.
Thanks Again!!!
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: Implementing FORM Based Security