Brian Jennings

Greenhorn
+ Follow
since Jan 05, 2011
Merit badge: grant badges
For More
Cows and Likes
Cows
Total received
In last 30 days
0
Forums and Threads

Recent posts by Brian Jennings

I found a wayt o get this to work. Google at home provided much more results!

The login page still has broken images, but at least I can log in now, and successfully display our main page.

http://unmaintainable.wordpress.com/2011/04/17/excluding-pages-from-auth/


<security-constraint>
<web-resource-collection>
<web-resource-name>Private</web-resource-name>
<description>Matches all pages.</description>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>authenticated-user</role-name>
</auth-constraint>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>Public</web-resource-name>
<description>Matches a few special pages.</description>
<url-pattern>/index.jsp</url-pattern>
<url-pattern>/login.jsp</url-pattern>
<url-pattern>/public/*</url-pattern>
</web-resource-collection>
<!-- No auth-constraint means everybody has access! –>
</security-constraint>
<security-role>
<description> A role for all authenticated ("logged in") users. This role must be present in the servlet container's user management database. </description>
<role-name>authenticated-user</role-name>
</security-role><login-config>
<auth-method>DIGEST</auth-method>
<realm-name>My Webapp</realm-name>
</login-config>
13 years ago
I agree it was a poor naming choice. Not mine, but I don't think I should rewrite it at this time. It is what it is unfortunately.

I tried adding a second web-resource-name. MyEclipse flagged it as an error.

I'm limited in what I can access on the internet here at work. I'll try more at home.

Thanks for all your help.
13 years ago
I may have misspoke, MyUser in the web.xml seems to be identifying the web resource name, and is associated with the URL path containing our application.

Please keep in mind this is all pretty new to me, thanks for your patience!

So would I define a second web resource name associated with our images directory and then not assign it a security role, as below?

<web-resource-collection>
<web-resource-name>myuser</web-resource-name>
<url-pattern>/servlet/*</url-pattern>
...
<web-resource-name>images</web-resource-name>
<url-pattern>/servlet/images/*</url-pattern>
..
</web-resource-collection>
<auth-constraint>
<description></description>
<role-name>myuser</role-name>
<role-name>??</role-name>
</auth-constraint>

I'm not following your suggestion, as I'm not sure how I would then assign this explicitely to 'no role'


By te way, I'd love to 'RTFM' but I don't have a manual and I can't find anything like what you describe on the web. ;)
13 years ago
Thanks for all the help, Tim. It's becoming clearer to me!

I see what you mean about not trying to access racf from the local PC version of the server. I suspected that would be a problem.

I'll stick to trying to get this image issue resolved, as hopefully that will let me log on to the application locally via the Tomcat security already in place.

Below is the web.xml we are using, with specific identifying info removed. (specific package name etc)

'myuser' is defined in Tomcat in the tomcat-users file, and is what we use to login (to our local development server) prior to setting up the new form based authentication. Currently, it seems to authenticate fine using 'myuser' in form-based but cannot display the images (causing the application to fail after redirection back to the servlet)

I haven't been ale to find the syntax on how to specify an empty security role list for a directory (/images). What would the syntax be? We have a security role set up for 'myuser' as shown below.

Thanks!




<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE web-app PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN"
"http://java.sun.com/dtd/web-app_2_3.dtd">
<web-app id="WebApp">
<display-name>sps</display-name>
<filter>
<filter-name>FormLoginFilter</filter-name>
<display-name>FormLoginFilter</display-name>
<filter-class>....login.FormLoginFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>FormLoginFilter</filter-name>
<url-pattern>/j_security_check</url-pattern>
</filter-mapping>
<servlet>
<servlet-name>WelcomeServlet</servlet-name>
<display-name>WelcomeServlet</display-name>
<servlet-class>....servlets.WelcomeServlet</servlet-class>
</servlet>
<servlet>
<servlet-name>DispatcherServlet</servlet-name>
<display-name>DispatcherServlet</display-name>
<servlet-class>....servlets.DispatcherServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>WelcomeServlet</servlet-name>
<url-pattern>/servlet/....servlets.WelcomeServlet</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>DispatcherServlet</servlet-name>
<url-pattern>/servlet/....servlets.DispatcherServlet/*</url-pattern>
</servlet-mapping>
<welcome-file-list>
<welcome-file>servlet/....servlets.DispatcherServlet?l=e</welcome-file>
<welcome-file>index.html</welcome-file>
<welcome-file>index.htm</welcome-file>
<welcome-file>index.jsp</welcome-file>
<welcome-file>index.xtp</welcome-file>
<welcome-file>default.html</welcome-file>
<welcome-file>default.htm</welcome-file>
<welcome-file>default.jsp</welcome-file>
</welcome-file-list>
<taglib>
<taglib-uri>/our_taglib.tld</taglib-uri>
<taglib-location>/WEB-INF/sps_taglib.tld</taglib-location>
</taglib>
<resource-ref id="ResourceRef_1122386543187">
<res-ref-name>jdbc/our_ref</res-ref-name>
<res-type>javax.sql.DataSource</res-type>
<res-auth>Container</res-auth>
<res-sharing-scope>Shareable</res-sharing-scope>
</resource-ref>
<security-constraint>
<web-resource-collection>
<web-resource-name>myuser</web-resource-name>
<url-pattern>/servlet/*</url-pattern>
<http-method>GET</http-method>
<http-method>PUT</http-method>
<http-method>HEAD</http-method>
<http-method>TRACE</http-method>
<http-method>POST</http-method>
<http-method>DELETE</http-method>
<http-method>OPTIONS</http-method>
</web-resource-collection>
<auth-constraint>
<description></description>
<role-name>myuser</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<realm-name>My-Application-System</realm-name>
<form-login-config>
<form-login-page>/LoginForm.jsp</form-login-page>
<form-error-page>/AuthFailed.jsp</form-error-page>
</form-login-config>
</login-config>
<security-role>
<description></description>
<role-name>myuser</role-name>
</security-role>
</web-app>

13 years ago
Yep, the realm jar file is in the appropriate place, no issue there.

PlatformUser is an IBM provided class that is meant to connect to RACF. We are using the following Jars in the application to allow connection to RACF:
Security.jar, IRRRacf.jar, J2EE.jar


I'm using Tomcat 5.5. I probably should have mentioned that earlier.

Since this application is being migrated to a WAS Server on a mainframe for testing/production, I need to find a way to use the application on a local development server (local to my PC). I'm not even sure RACF on the mainframe is available going through Tomcat.

Our web.xml is set up to recognise form based login. For WAS we have a login filter among other settings. As you said, Tomcat ignores these settings and triggers the logon page when I try to navigate to the starting servlet for the application.


How do I set up unprotected URLS locally so that I can access the images?

Thanks again!
13 years ago
I found the SAF Realm info at Dovetail:

http://dovetail.com/docs/misc/saf.html

I downloaded the SAFRealm.zip and followed the instructions.

I'm now getting this error when trying to login:

java.lang.NoClassDefFoundError: com/ibm/os390/security/PlatformUser
at com.dovetail.zos.tomcat.SafRealm.authenticate(SafRealm.java:167)
...

This is strange because all the required jars including where PlatformUser is defined are in my class path.

I still have the images problem too.
13 years ago
Thanks for the info, Tim! I'll look into that.

I tried using our new login page in Tomcat with SSL, and it appears to work with the realm we had before the form login was added.

The only problem now is that with SSL our images in the /images directory are not being displayed.

Is there a setup required to allow the browser to access images and similar resources under SSL and Tomcat?



I agree that mixing environments is not optimal, but we have had no problems deploying our system to the mainframe server. it's only the development environment that is giving us issues with the new form based login.

We will be switching to WAS locally eventually, as well as from Windows XP & IE6 to Windows 7 & IE8. It's a government shop and is slow to change!
13 years ago
Hello,

I'm trying to see if what I want to do is even possible.

I've taken over the authentication portion of our application.

Currently our production environment uses WAS 6.1 on a mainframe server and authenticates users against RACF.

Our development environment however, is Tomcat running with MyEclipse. The previous developer got the application working fine witha new form based login in WAS6.1 on the server but cannot get it to run locally in Tomcat.

I did try MyEclipse Blue and WAS 6.1 locally with no luck. Since this is not a WAS forum, I will not get into the issues there.

So my task is to either get the form based login to work in Tomcat or to find some way to allow our developers to test locally without the login feature getting in the way.

Any suggestions on where to start?

I'm not familiar with authentication and how it's handled in Tomcat, but it appears that Tomcat has its own authentication method and cannot interface with RACF. Is this the case?

Is there a way to force successful login if on the development server? Are there other options I may not be aware of?

My only option that I can currently see is to use an old web.xml for development machines that does not use form based authentication. Maybe I can set up some 'development environment only' tomcat authorization?

Thanks
13 years ago
Thanks again for the reply.

What would your solution for this be?

Currently they are using a third party application to pull the report off the mainframe spool queue and send it to their printer, so in that respect the problem already exists. We jsut want to eliminate the third party application.

The users are all within our organization. This is not open to any shmo on the internet.
13 years ago
Thanks for your reply.

It's fine that the user will have to click on the security pop-up. We are printing a cheque and the user has to set up the printer with cheque stock. We don't want them to be able to print more than one copy though(or choose a different printer), so no, we can't display the report, or store it, or display the print dialog.

We want the report to be sent to the printer on the users request, with the users knowledge.

Is calling a static method in a non display applet apropriate use. Since the report is in a bean, the applet won't retain a copy of the report, correct? If I'm using a static method for printing, does the applet even have to be initialised?

I'm only using an applet so I can have access to the local printer, security certificate prob lems aside. Is this a reasonable use for an applet?

Thanks
13 years ago
Hi, I wanted to describe a problem I'm trying to solve and see if I'm taking the wrong approach.

I'm new to applet and JSP programming so am not familiar with the best way tro solve this.

Basically I'm changing an existing system that uses a JSP generated front end and a mainframe back end running COBOL/CICS. Currently a report is generated in COBOL (at the request of a JSP screen) and sent to a spool on the mainframe for printing. I want to move the printing function into the JSP.

The way I want to do this is have the report output returned to the JSP in a bean and have the JSP call an applet that would send the report to the default printer.

Funny thing about the applet is, I do not want to display it. I simply want the jsp to pass the data and have the applet silent print. Is this an appropriate use for an applet? Is there a better way of accomplishing this? Can I even have an applet that is non display?

I thoght I could simply create a static method in the applet and have the JSP call this method. I'm not sure this would even work really. I just don't know the web programming structure well enough.

Thanks for your time.

13 years ago