Hi, I am trying to get a simple servlet up and running on Tomcat 3.3 using user roles/permissions as practice revision for the SCWCD. Does anyone know of any simple examples on the web - or an easy step by step guide of each element of the servlet deployment descriptor? Any help would be greatly appreciated Tom
Hi Tom, You have the exact same issue as I do. I am working on error handling and security and looking for some resources on the web. I have not found any resources yet. However Java Servlet Programming (oreilly) by Jason Hunter and William Crawford explains security very nicely. I don't think the security chapter is available on the internet for free. I would go to bookstore such as Barnes and Nobles and read one chapter there (just an idea). I would love to see more responses here. Please let me know if you find something. Chintan
I m now using this simple form-based authentication and would like to join u two-guy's search. But temporarily u can use the following : The HTML page (loginScreen2.html) used to invoke the login servlet...
And source code for LoginServlet.java
Waiting for the reply how to configure web.xml or tomcat 4 a user role creation...
------------------ Muhammad Ashikuzzaman (Fahim) Sun Certified Programmer for the Java� 2 Platform --When you learn something, learn it by heart!
Well, you can use the manager application that comes with Tomcat 4 as a breif example. Most of the work is done for you by the servlet engine. The two things you need to do to protect your application are: 1) Include a security constraint in your web.xml. The one with manager application is: < !-- Define a Security Constraint on this Application --> < security-constraint> < web-resource-collection> < web-resource-name>Entire Application< /web-resource-name> < url-pattern>/*< /url-pattern> < /web-resource-collection> < auth-constraint> < !-- NOTE: This role is not present in the default users file --> < role-name>manager</role-name> < /auth-constraint> < /security-constraint> This tells the servlet engine that everything under manager requires a Http Basic Authentication prior to viewing. It also states that the person logging in must belong to the manger role. As for establishing users and roles, there are a couple of ways. The easiest is to modify the tomcat-users.xml under < TOMCAT_HOME>/conf directory and include an entry for your user. As you see by the web.xml entry above, the comment tells you that a manager hasn't been defined and you will see this in tomcat-users.xml. Add an entry such as: < user name="admin" password="admin" roles="manager" /> And when you go to the manager application, you are greated with the login popup. Logging in with admin, admin will allow you to access the manager application. Also if you examine the tomcat-users.xml, you'll see that a user can belong to multiple roles.
Hi Tom & Carl, There are two approaches for securing your web applications. They are ---- programmatic security & declarative security. The former is implemented by the developer through programming/coding for the particular application. The later approach is offered by the J2EE which is implemented by the web container. There can be four types of declarative security mechanism. They are ---- (a) HTTP basic authentication, (b) HTTP digest authentication, (c) HTTP client or client-cert authentication(through SSL/HTTPS) and (d) Form-based authentication.
I gave you earlier an example code of programmatic security. And now here is the form-based authentication (option d) by Tomcat 4. I m giving my web.xml file that is needed to configure with tomcat-users.xml file. When a user comes first time in my site he will be automatically challenged by a request/response page for username & password. Once he gives username "ashik" & password "java" he'll never be asked the challenged again in this session.
tomcat-users.xml ================ <!-- NOTE: By default, no user is included in the "manager" role required to operate the "/manager" web application. If you wish to use this app, you must define such a user - the username and password are arbitrary. --> <tomcat-users> <user name="tomcat" password="tomcat" roles="tomcat" /> <user name="role1" password="tomcat" roles="role1" /> <user name="both" password="tomcat" roles="tomcat,role1" /> <user name="ashik" password="java" roles="admin" /> </tomcat-users> ================================================================= web.xml ======= <?xml version="1.0" encoding="ISO-8859-1"?> <!DOCTYPE web-app PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN" "http://java.sun.com/dtd/web-app_2_3.dtd"> <web-app> <servlet> <servlet-name> ShowMsg </servlet-name> <servlet-class> ShowMessage </servlet-class> <init-param> <param-name> message </param-name> <param-value> Sun Certified Web component developer (SCWCD) </param-value> </init-param> <init-param> <param-name> repeats </param-name> <param-value> 10 </param-value> </init-param> </servlet>