Servlet User Roles

Hi,
I am trying to get a simple servlet up and running on Tomcat 3.3 using user roles/permissions as practice revision for the SCWCD.
Does anyone know of any simple examples on the web - or an easy step by step guide of each element of the servlet deployment descriptor?
Any help would be greatly appreciated
Tom

Hi Tom,
You have the exact same issue as I do. I am working on error handling and security and looking for some resources on the web. I have not found any resources yet. However Java Servlet Programming (oreilly) by Jason Hunter and William Crawford explains security very nicely. I don't think the security chapter is available on the internet for free. I would go to bookstore such as Barnes and Nobles and read one chapter there (just an idea).
I would love to see more responses here. Please let me know if you find something.
Chintan

I m now using this simple form-based authentication and would like to join u two-guy's search. But temporarily u can use the following :
The HTML page (loginScreen2.html) used to invoke the login servlet...
<HTML> <BODY BGCOLOR= #7AAC8F TEXT=blue> <h2>Please give your user name and password below</h2> <FORM ACTION="/examples/servlet/HelloWorld6" METHOD="post"> User ID : <INPUT TYPE="text" NAME="id"><BR> Password : <INPUT TYPE="password" NAME="password"><BR> E-mail : <INPUT TYPE="text" NAME="email"><BR> <INPUT TYPE="submit" NAME="login" Value="Join Now"><BR> </FORM> </BODY> </HTML>
And source code for LoginServlet.java
import javax.servlet.*; import javax.servlet.http.*; import java.io.*; import java.util.*; public class LoginServlet extends HttpServlet { public boolean validateUser(String id,String password) { if(id.equalsIgnoreCase("Ashik") && password.equals("java")) return true; else if(id.equalsIgnoreCase("Sachin") && password.equals("cricket")) return true; else if(id.equalsIgnoreCase("Programmer") && password.equals("java")) return true; else return false; } public void doGet(HttpServletRequest req, HttpServletResponse res) throws ServletException,IOException { HttpSession session = req.getSession(true); String id = (String)session.getValue("id"); res.setContentType("text/html"); PrintWriter out = res.getWriter(); out.println("<html>"); out.println("<head><title>Implement your own Login Authentication</title></head>"); out.println("<body bgcolor= #FAB65C text=blue>"); out.println("Hello " + id + ", how can we help you today?"); out.println("<HR><i>You are currently logged in as : <b>"+id+"</b></i>"); out.println("</body></html>"); out.close(); } public void doPost(HttpServletRequest req, HttpServletResponse res) throws ServletException,IOException { String id = req.getParameter("id"); String password = req.getParameter("password"); HttpSession session = null; boolean valid = validateUser(id,password); if(valid == true) { session = req.getSession(true); session.putValue("id",id); } res.setContentType("text/html"); PrintWriter out = res.getWriter(); out.println("<html>"); out.println("<head><title>Implement your own Login Authentication</title></head>"); out.println("<body bgcolor= #B02AC9 text=blue>"); out.println("<h2>Implement your own Login Authentication</h2>"); if(valid == true) { res.sendRedirect("/examples/servlet/LoginServlet"); } else { out.println("You are and unauthorized visitor...."); } out.println("</body></html>"); out.close(); } }
Waiting for the reply how to configure web.xml or tomcat 4 a user role creation...

------------------
Muhammad Ashikuzzaman (Fahim)
Sun Certified Programmer for the Java� 2 Platform
--When you learn something, learn it by heart!

Well, you can use the manager application that comes with Tomcat 4 as a breif example. Most of the work is done for you by the servlet engine. The two things you need to do to protect your application are:
1) Include a security constraint in your web.xml. The one with manager application is:
< !-- Define a Security Constraint on this Application -->
< security-constraint>
< web-resource-collection>
< web-resource-name>Entire Application< /web-resource-name>
< url-pattern>/*< /url-pattern>
< /web-resource-collection>
< auth-constraint>
< !-- NOTE: This role is not present in the default users file -->
< role-name>manager</role-name>
< /auth-constraint>
< /security-constraint>
This tells the servlet engine that everything under manager requires a Http Basic Authentication prior to viewing. It also states that the person logging in must belong to the manger role.
As for establishing users and roles, there are a couple of ways. The easiest is to modify the tomcat-users.xml under < TOMCAT_HOME>/conf directory and include an entry for your user. As you see by the web.xml entry above, the comment tells you that a manager hasn't been defined and you will see this in tomcat-users.xml. Add an entry such as:
< user name="admin" password="admin" roles="manager" />
And when you go to the manager application, you are greated with the login popup. Logging in with admin, admin will allow you to access the manager application.
Also if you examine the tomcat-users.xml, you'll see that a user can belong to multiple roles.


------------------
I Hope This Helps
Carl Trusiak, SCJP2, SCWCD

Hi Tom & Carl,
There are two approaches for securing your web applications. They are ---- programmatic security & declarative security. The former is implemented by the developer through programming/coding for the particular application. The later approach is offered by the J2EE which is implemented by the web container. There can be four types of declarative security mechanism. They are ----
(a) HTTP basic authentication, (b) HTTP digest authentication, (c) HTTP client or client-cert authentication(through SSL/HTTPS) and (d) Form-based authentication.

I gave you earlier an example code of programmatic security. And now here is the form-based authentication (option d) by Tomcat 4. I m giving my web.xml file that is needed to configure with tomcat-users.xml file. When a user comes first time in my site he will be automatically challenged by a request/response page for username & password. Once he gives username "ashik" & password "java" he'll never be asked the challenged again in this session.

tomcat-users.xml
================
<!--
NOTE: By default, no user is included in the "manager" role required
to operate the "/manager" web application. If you wish to use this app,
you must define such a user - the username and password are arbitrary.
-->
<tomcat-users>
<user name="tomcat" password="tomcat" roles="tomcat" />
<user name="role1" password="tomcat" roles="role1" />
<user name="both" password="tomcat" roles="tomcat,role1" />
<user name="ashik" password="java" roles="admin" />
</tomcat-users>
=================================================================
web.xml
=======
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE web-app
PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN"
"http://java.sun.com/dtd/web-app_2_3.dtd">;
<web-app>
<servlet>
<servlet-name>
ShowMsg
</servlet-name>
<servlet-class>
ShowMessage
</servlet-class>
<init-param>
<param-name>
message
</param-name>
<param-value>
Sun Certified Web component developer (SCWCD)
</param-value>
</init-param>
<init-param>
<param-name>
repeats
</param-name>
<param-value>
10
</param-value>
</init-param>
</servlet>

<security-constraint>
<web-resource-collection>
<web-resource-name>Entire Application</web-resource-name>
<description>Testing Form-based Authentication in Tomcat 4</description>
<url-pattern>/*</url-pattern>
<http-method>GET</http-method>
</web-resource-collection>
<auth-constraint>
<description>Cookie Servlet Administrator</description>
<role-name>admin</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/ashik4u/login.html</form-login-page>
<form-error-page>/ashik4u/error.html</form-error-page>
</form-login-config>
</login-config>
<security-role>
<description>Registered Members</description>
<role-name>admin</role-name>
</security-role>
</web-app>

And the login.html that resides under my ashik4u context is like this -----

<html>
<head>
<title>Container's Login Authentication</title>
</head>
<body bgcolor=#e0d0c0 text=blue>
<h1>Please Login</h1>
<hr>
<form action="j_security_check" method=post>
<table bgcolor=#e3d2c1 border=0 width="30%" callspacing=3 cellpadding=2>
<tr>
<td><b>Login</b></td>
<td><input type=text size=20 name="j_username"></td>
</tr>
<tr>
<td><b>Password</b></td>
<td><input type=password size=10 name="j_password"></td>
</tr>
<tr>
<td><p><input type=submit value="Sign in"></td>
</tr>
</table>
</form>
</body>
</html>

And yah, u already must have known the meaning for j_security_check, j_username & j_password....