Authentication Help

Discussions

Web tier: servlets, JSP, Web frameworks: Authentication Help

  1. Authentication Help (1 messages)

    Hi,
    I am trying to create a sample application where i get authentication on the JSP/servlest and JSP pages.

    So I have a login.html , error.htm and private.html

    Here is the Web.xml:
    <web-app>
      <display-name>AuthenticationTrial</display-name>
      <description>A site to test authentication</description>
      <session-config>
        <session-timeout>30</session-timeout>
      </session-config>
      <welcome-file-list>
        <welcome-file>index.html</welcome-file>
      </welcome-file-list>
      <security-constraint>
        <web-resource-collection>
          <web-resource-name>protectedPages</web-resource-name>
          <description>no description</description>
          <url-pattern>/authtest/protected/private.html</url-pattern>
          <http-method>GET</http-method>
          <http-method>POST</http-method>
        </web-resource-collection>
        <auth-constraint>
          <description>no description</description>
          <role-name>priviledgedPerson</role-name>
        </auth-constraint>
        <user-data-constraint>
          <description>no description</description>
          <transport-guarantee>NONE</transport-guarantee>
        </user-data-constraint>
      </security-constraint>
      <login-config>
        <auth-method>FORM</auth-method>
        <realm-name>default</realm-name>
        <form-login-config>
          <form-login-page>login.html</form-login-page>
          <form-error-page>error.html</form-error-page>
        </form-login-config>
      </login-config>
      <security-role>
        <description>A Priviledged Person</description>
        <role-name>priviledgedPerson</role-name>
      </security-role>
    </web-app>

    So when I try to access the private.html I dotn get challenegd or even an error or anything.. the html pages coatin nothing..at the moment. Can any one shed some light on this and also what needs to be done to stop users form accessing pages they are not authorize to see without actually havinh to code some checks into each page. Shouldnt the container manage this security stuff.??? if not what is the pripose of all this setup in the deployment tool then.?? Do I have to set it up there and then in each servlet,jsp or Html page check if the user is logged in or not?? or is authorised to biew a page or not???

    any help on this is appreciated and code samples will be very helpful too..

    regards

    charbel

    Threaded Messages (1)

  2. Authentication Help[ Go to top ]

    For each servlet and/or JSP, you need to define a <servlet> tag mapping to each a servlet name.

    You then need to establish a <servlet-mapping> tag for each url defined. You will need to read the servlet specs to understand the possible url patterns you may use.

    Then finally you will need to establish security constraints which constrain url-patterns directly and therefore constrain JSPs/servlets indirectly from the previous steps.

    Your login-config tag should be fine. However, I would not use this tag at first so you can test that security is simply working according to your desired constraints. Then I would add the login-config tag.

    Here is an example which will get you started.
    This example works. Notice how the JSP or servlet is given a servlet-name. That name is mapped to the url -- yo. And then yo is mapped to the security constraint.
    You don't need to mention methods in the constraint unless you don't want the default of all methods to be included.
    I could have said "/yo/*" which would mean that any url with "/yo" would be mapped to the Hello.jsp.
    Again read about url patterns in the servlet 2.2 spec for extra info.
    Your html can be protected directly in the security-constraint using url-patterns.

    Hope this helps.

    Thanks,
    Anthony

    Example:
    <web-app>
    <servlet>
       <servlet-name>
         Hello
       </servlet-name>
    <jsp-file>
    Hello.jsp
    </jsp-file>
    </servlet>

    <servlet-mapping>
      <servlet-name>
         Hello
      </servlet-name>
      <url-pattern>
         /Yo
      </url-pattern>
    </servlet-mapping>

    <security-constraint>
    <web-resource-collection>
    <web-resource-name>SecurityTest</web-resource-name>
    <url-pattern>/yo</url-pattern>
    </web-resource-collection>
    <auth-constraint>
    <role-name>guru</role-name>
    </auth-constraint>
    </security-constraint>

    <security-role>
    <role-name>guru</role-name>
    </security-role>
    </web-app>