• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Tim Cooke
  • Liutauras Vilda
  • Jeanne Boyarsky
  • paul wheaton
Sheriffs:
  • Ron McLeod
  • Devaka Cooray
  • Henry Wong
Saloon Keepers:
  • Tim Holloway
  • Stephan van Hulst
  • Carey Brown
  • Tim Moores
  • Mikalai Zaikin
Bartenders:
  • Frits Walraven

Application Security

 
Greenhorn
Posts: 15
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi...
I have some jsp application in tomcat 4.1.18.
I'm try to restrict only for some roles.
How can I define a Security Constraint for an Application in the web.xml file.
Is necesary to put some code in /conf/server.xml too?
Could somebody post an example... :roll:
 
Ranch Hand
Posts: 3695
IntelliJ IDE Java Ubuntu
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
http://jakarta.apache.org/tomcat/tomcat-4.1-doc/realm-howto.html

There is also an existing examples app that uses security restraints at: http://localhost:8080/examples/jsp/security/protected/
 
Pedro Garcia
Greenhorn
Posts: 15
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Thanks...
I check it?
It's that i looking for....
but...
Why the jsp example send me error 404 when I login, the go back and login with wrong password?.
I need to initializing the session again?
How can I fix?
 
Mike Curwen
Ranch Hand
Posts: 3695
IntelliJ IDE Java Ubuntu
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I think I know what is happening, but this is only what I deduce, not what I know.

The example web-app uses container-managed, FORM-based authentication. That is what this page is for: http://localhost:8080/examples/jsp/security/protected/login.jsp

If you note that the form elements are named j_username and j_password, and also the action is j_security_check.


The action must be j_security_check, so that the container knows "that means forward this request to my internal authorization code, which expects something called j_username and j_password". You can customize login.jsp any other way, but that action and those form field names MUST be used if you want container-managed security to work.

One of the things that the container probably does as an efficiency test, is checks first if the user making the request is ALREADY logged in. Why authenticate when they've already been authenticated?

Because you just click "back", you are not logged out, so your session continues to be valid. When the container receives your second request (one with a bad password), it sees you are already logged in, and it will "pass off" the request to the web application that is being protected. *THAT* application does not have a resource mapped to j_security_check, and so you get the 404

the solution is to logout with the link provided on index.jsp (the page you see after a successful login).
 
Pedro Garcia
Greenhorn
Posts: 15
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Thanks for your help.
Your explanation helps me to understand.
But, How can I prevent to the users do not use the button "back".
Or is better to use another method to autenticate?...
 
The first person to drink cow's milk. That started off as a dare from this tiny ad:
Gift giving made easy with the permaculture playing cards
https://coderanch.com/t/777758/Gift-giving-easy-permaculture-playing
reply
    Bookmark Topic Watch Topic
  • New Topic