Hi in my application i want to secure my jsp pages, i dont want the pages to be viewed directly by copying the url in short i want to make them password protected unless a user sign in user cannot see the further pages, in order to achieve this i added security-constraint in my web.xml
also in my UserValidation Servlet when i try to print the username System.out.print(request.getUserPrincipal().getName()) it does not display the username rather its a blank space also the if(request.isUserInRole("admin")) does not results true.
any suggestions please..
[ Edited to fix code tags - Paul Sturrock ] [ October 07, 2008: Message edited by: Paul Sturrock ]
no i did not add a <login-config> element , the way its getting authenticated is once the user enters username and password and clicks LogOn button UserValidation Servlet authenticate the user credentials refering to the entries in the database. The application is not working with HTTPS..with http://localhost:8080/BankBoard it shows login page with https://localhost:8080/BankBoard it says "Internet Explorer cannot display the webpage
Most likely causes: You are not connected to the Internet. The website is encountering problems. There might be a typing error in the address. " [ October 07, 2008: Message edited by: ruquia tabassum ]
Originally posted by ruquia tabassum: a bit confused wether the user credentials entered are to be checked refering database or leave it on form based authentication which cheks it referring the tomcat-users.xml file?
That depends on how you have configured it in the server.xml file. Somewhere in it is a <Realm> element that specifies which realm implementation is used.
server.xml file contains the database realm <Realm className="org.apache.catalina.realm.UserDatabaseRealm" resourceName="UserDatabase"/>
actually i want my login page to give an alert message when there is a wrong username and password for that on clicking logon it makes ajax calls and the responsible servlet checks the credentials referring database, based on the servlet response i am directing the control either to welcome page or raising a popup.As welcome page is secure so i dont want the direct access to that page and i employed form based authentication... now whenever i try to acces the welcome page it gives me the unformatted login page with username and password fields scattered here and there. please give me a clear picture of form based authentications...
You can make the login page anything you want (in terms of the HTML), but if you want to use AJAX calls for checking credentials, then that's not supported by the standard security built into the container.
You can use a database instead of the XML file by switching to some other realm, maybe JDBCRealm or DataSourceRealm. The Tomcat documentation explains how to set those up.