File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
http://aspose.com/file-tools
The moose likes Tomcat and the fly likes Application Security Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Products » Tomcat
Bookmark "Application Security" Watch "Application Security" New topic
Author

Application Security

Pedro Garcia
Greenhorn

Joined: Sep 12, 2002
Posts: 15
Hi...
I have some jsp application in tomcat 4.1.18.
I'm try to restrict only for some roles.
How can I define a Security Constraint for an Application in the web.xml file.
Is necesary to put some code in /conf/server.xml too?
Could somebody post an example... :roll:


Pedro
Mike Curwen
Ranch Hand

Joined: Feb 20, 2001
Posts: 3695

http://jakarta.apache.org/tomcat/tomcat-4.1-doc/realm-howto.html

There is also an existing examples app that uses security restraints at: http://localhost:8080/examples/jsp/security/protected/
Pedro Garcia
Greenhorn

Joined: Sep 12, 2002
Posts: 15
Thanks...
I check it?
It's that i looking for....
but...
Why the jsp example send me error 404 when I login, the go back and login with wrong password?.
I need to initializing the session again?
How can I fix?
Mike Curwen
Ranch Hand

Joined: Feb 20, 2001
Posts: 3695

I think I know what is happening, but this is only what I deduce, not what I know.

The example web-app uses container-managed, FORM-based authentication. That is what this page is for: http://localhost:8080/examples/jsp/security/protected/login.jsp

If you note that the form elements are named j_username and j_password, and also the action is j_security_check.


The action must be j_security_check, so that the container knows "that means forward this request to my internal authorization code, which expects something called j_username and j_password". You can customize login.jsp any other way, but that action and those form field names MUST be used if you want container-managed security to work.

One of the things that the container probably does as an efficiency test, is checks first if the user making the request is ALREADY logged in. Why authenticate when they've already been authenticated?

Because you just click "back", you are not logged out, so your session continues to be valid. When the container receives your second request (one with a bad password), it sees you are already logged in, and it will "pass off" the request to the web application that is being protected. *THAT* application does not have a resource mapped to j_security_check, and so you get the 404

the solution is to logout with the link provided on index.jsp (the page you see after a successful login).
Pedro Garcia
Greenhorn

Joined: Sep 12, 2002
Posts: 15
Thanks for your help.
Your explanation helps me to understand.
But, How can I prevent to the users do not use the button "back".
Or is better to use another method to autenticate?...
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: Application Security