Win a copy of Terraform in Action this week in the Cloud forum!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Tim Cooke
  • Campbell Ritchie
  • Paul Clapham
  • Ron McLeod
  • Liutauras Vilda
Sheriffs:
  • Jeanne Boyarsky
  • Rob Spoor
  • Bear Bibeault
Saloon Keepers:
  • Jesse Silverman
  • Tim Moores
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
Bartenders:
  • Piet Souris
  • Al Hobbs
  • salvin francis

security constraint - not working

 
Ranch Hand
Posts: 139
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi All,
I am trying to constrain access to a file jstlChoose.do, which is a jsp and I have mapped it to jstlChoose.do in web.xml.
I did the following in my web.xml for the security constraints
--------------------------------------------------------------------------
<code>
<security-constraint>
<web-resource-collection>
<web-resource-name>JSTL Choose</web-resource-name>
<url-patterns>/jstlChoose.do</url-patterns>
<http-method>GET</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>admin</role-name>
<role-name>manager</role-name>
</auth-constraint>
</security-constraint>

<login-config>
<auth-method>BASIC</auth-method>
</login-config>

<security-role>
<role-name>admin</role-name>
</security-role>
<security-role>
<role-name>manager</role-name>
</security-role>
<security-role>
<role-name>guest</role-name>
</security-role>
</code>
-------------------------------------------------------------

Now, if I understand correctly, only admin and manager are allowed to call GET method on this jstlChoose.do. SO, when I try to access this file using

http://localhost:8080/TestJSP/jstlChoose.do

I should get a browser's standard pop-up form asking for user name and password.
But, it is not asking for any user name and password and I am still able to see the result.
Am I doing something wrong? Do I have to explicitly set some variable to a user role first and then try accessing this file? I am really confused...
Any help is welcome,

Regards,

Sushma
 
Ranch Hand
Posts: 136
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Your understanding is *mostly* correct. Two points however...

Constraint-based security works by constraining resources, as the name implies. Keep in mind though that you are only constraining the GET method... *any* user can still use POST or other methods to access that constrained resources. This isn't causing you a problem, I don't think, but it is worth noteing because it trips people up a lot at first.

I think the cause of your problem is that you haven't completed the configuration... remember that the settings in web.xml do nothing without your container being made aware of the constraints. For instance, in Tomcat you would add entries to tomcat-users.xml for your admin and manager. In Websphere it's mappings in application.xml and ibm-application-bnd.xmi, other containers will be different still.

Otherwise, I don't see anything wrong with your configuration at first glance. So, Google for details on configuring whatever container you are in and I'd expect it to work.
 
Sushma Sharma
Ranch Hand
Posts: 139
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi,

I am using tomcat and I did created admin and manager roles before even trying this security constraint and that's why I can't understand why it's not working...
Is there anybody who got this problem before???
 
Ranch Hand
Posts: 68
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi,

Even i too have the same problem.

This is by tomcat-users.xml


and my web.xml is




still i am able to access the page.
If my configuration is correct, am i need to do any other changes other than in these two files ?
 
Don't get me started about those stupid light bulbs.
reply
    Bookmark Topic Watch Topic
  • New Topic