Hi Tom & Carl,
There are two approaches for securing your web applications. They are ---- programmatic security & declarative security. The former is implemented by the developer through programming/coding for the particular application. The later approach is offered by the
J2EE which is implemented by the web container. There can be four types of declarative security mechanism. They are ----
(a) HTTP basic authentication, (b) HTTP digest authentication, (c) HTTP client or client-cert authentication(through SSL/HTTPS) and (d) Form-based authentication.
I gave you earlier an example code of programmatic security. And now here is the form-based authentication (option d) by Tomcat 4. I m giving my web.xml file that is needed to configure with tomcat-users.xml file. When a user comes first time in my site he will be automatically challenged by a request/response page for username & password. Once he gives username "ashik" & password "java" he'll never be asked the challenged again in this session.
tomcat-users.xml
================
<!--
NOTE: By default, no user is included in the "manager" role required
to operate the "/manager" web application. If you wish to use this app,
you must define such a user - the username and password are arbitrary.
-->
<tomcat-users>
<user name="tomcat" password="tomcat" roles="tomcat" />
<user name="role1" password="tomcat" roles="role1" />
<user name="both" password="tomcat" roles="tomcat,role1" />
<user name="ashik" password="java" roles="admin" />
</tomcat-users>
=================================================================
web.xml
=======
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE web-app
PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN"
"http://java.sun.com/dtd/web-app_2_3.dtd">
<web-app>
<servlet>
<servlet-name>
ShowMsg
</servlet-name>
<servlet-class>
ShowMessage
</servlet-class>
<init-param>
<param-name>
message
</param-name>
<param-value>
Sun Certified Web component developer (SCWCD)
</param-value>
</init-param>
<init-param>
<param-name>
repeats
</param-name>
<param-value>
10
</param-value>
</init-param>
</servlet>
<security-constraint>
<web-resource-collection>
<web-resource-name>Entire Application</web-resource-name>
<description>
Testing Form-based Authentication in Tomcat 4</description>
<url-pattern>/*</url-pattern>
<http-method>GET</http-method>
</web-resource-collection>
<auth-constraint>
<description>Cookie Servlet Administrator</description>
<role-name>admin</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/ashik4u/login.html</form-login-page>
<form-error-page>/ashik4u/error.html</form-error-page>
</form-login-config>
</login-config>
<security-role>
<description>Registered Members</description>
<role-name>admin</role-name>
</security-role>
</web-app>
And the login.html that resides under my ashik4u context is like this -----
<html>
<head>
<title>Container's Login Authentication</title>
</head>
<body bgcolor=#e0d0c0 text=blue>
<h1>Please Login</h1>
<hr>
<form action="j_security_check" method=post>
<table bgcolor=#e3d2c1 border=0 width="30%" callspacing=3 cellpadding=2>
<tr>
<td><b>Login</b></td>
<td><input type=text size=20 name="j_username"></td>
</tr>
<tr>
<td><b>Password</b></td>
<td><input type=password size=10 name="j_password"></td>
</tr>
<tr>
<td><p><input type=submit value="Sign in"></td>
</tr>
</table>
</form>
</body>
</html>
And yah, u already must have known the meaning for j_security_check, j_username & j_password....
