Web.xml form security login
I am using formed based security in a web.xml file. I was wondering if there is
anyway to limit logins, for example...
I logon with a uid "peterc" and a password of "car", I don't want anyone else
to then be able to login using the same uid and password while the session is
active. We are using a custom built realm the extends the abstractManagableRealm,
and Netscape Directory server for our LDAP tree, Weblogic Application Server 5.1
sp8. Is there a tag in the web.xml file we can set, or do we need to add code
to the realm? Or could there be another simple solution?
Chris,
I think you have to do this on your own - I know of no standard or proprietay way of
limiting how many simultaneous times a user is logged in.
Chris wrote:
I am using formed based security in a web.xml file. I was wondering if there is
anyway to limit logins, for example...
I logon with a uid "peterc" and a password of "car", I don't want anyone else
to then be able to login using the same uid and password while the session is
active. We are using a custom built realm the extends the abstractManagableRealm,
and Netscape Directory server for our LDAP tree, Weblogic Application Server 5.1
sp8. Is there a tag in the web.xml file we can set, or do we need to add code
to the realm? Or could there be another simple solution?--
Tom Mitchell
[email protected]
Very Current Stoneham, MA Weather
http://www.tom.org
Similar Messages
-
Web.xml and security constraints
Hi,
I have several web services deployed. I only want to protect one of these web services.
If I use "/services/*" in <security-constraint> of my web.xml file, all my deployed web services are protected.
If I use "/services/aaaWebService" in <security-constraint> of my web.xml file, aaaWebService web service is NOT protected.
Please let me know what I should use for teh <url-pattern> to protect only aaaWebService.
Thanks /danWhat about "/services/aaaWebService*"?
I think whithout an asterisk service parameters don't match your pattern.
Vovencij -
Weblogic 10 jaas and login.jsp and web.xml/weblogic.xml security constaints
Hello,
I struggled through and got the examples.security.jaas.SampleCallbackHandler.java and examples.common.utils.ExampleUtils.java/ExampleConstants.java into eclipse where they compile. A bean I made can call SambleCallbackHandler like such:
mybean.logmein(username,password,url). I can then do a mybean.getStatus() or even a mybean.returnCode(). It does seem to correctly identlify that it is authenticating me (I see in stdout logs that it shows success or failures. The problem I have is I do not know how to apply this weblogic and web.xml/weblogic.xml so that if authentication works it redirects me to the page requiring the authentication. In web.xml I have the following set up:
<security-role>
<role-name>Admins</role-name>
</security-role>
<login-config>
<auth-method>FORM</auth-method>
<realm-name>default</realm-name>
<form-login-config>
<form-login-page>/login.jsp</form-login-page>
<form-error-page>/badlogin.html</form-error-page>
</form-login-config>
</login-config>
<security-constraint>
<web-resource-collection>
<web-resource-name>empower</web-resource-name>
<description>These pages are only accessible by authorized users.</description>
<url-pattern>/admin/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<description>These are the roles who have access</description>
<role-name>Administrators</role-name>
</auth-constraint>
<user-data-constraint>
<description>This is how the user data must be transmitted</description>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
My weblogic.xml has:
<?xml version="1.0" encoding="UTF-8"?>
<wls:weblogic-web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:wls="http://www.bea.com/ns/weblogic/90" xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd http://www.bea.com/ns/weblogic/90 http://www.bea.com/ns/weblogic/90/weblogic-web-app.xsd">
<wls:security-role-assignment>
<wls:role-name>Admins</wls:role-name>
<wls:principal-name>Administrators</wls:principal-name>
<wls:principal-name>dashap</wls:principal-name>
</wls:security-role-assignment>
</wls:weblogic-web-app>
With this set up, if I try to go to a page in /admin folder in my application, it correctly pops up the login page. The jaas in the bean is doing a loginContext.login(), which I thought does authentication too, but it never goes back to the /admin page I was going to that needed the authentication. With jaas, can I not use the web.xml FORM security option? Do I Need to use j_security in the login.jsp's form's action= option and j_username and j_password for the input type names? How do I use j_username/j_password things if I am using jaas? I could just ignore using the web.xml security stuff and put something in the pages that need authentication, but it would be easier if I could use jaas with the security featurs without doing all that. Note that my code above is using a realm called default just because that was what was in the example I got from the web. Does that need to be something else?Hi John,
I would like magic of course. However, in this case I want something special: my authentication provider uses special means and contents of headers, cookies and service from external identity management systems to determine the user's identity.
I do not want the application to present the login dialog! I want to derive the identity and the fact that the user is logged in from whatever the authentication provider returns in terms of Subject.
Ideally, the flow is something like:
- user accesses an unprotected resource - resource is shown, no interaction with authentication provider
- user presses a link or button that takes him/her to a protected resource
- the authentication provider is contacted to work with the identity asserter to establish the identity of the current user and create a subject object for this user
- the application can access the subject and principals
- ADF Security recognizes the identity and the roles (based on the principals) and coordinates access based on this.
the authentication method is client certificate. presumably this prompts WebLogic/OPS to use an identity asserter to work with custom headers and cookies ("... when you configure a web application to use CLIENT-CERT authentication. In this case, WebLogic can perform identity assertion based on values from request headers and cookies. If the header name or cookie name matches the active token type for the provider, the value is passed to the provider."). No login form should be presented to the user, as all information required to perform the authentication is already available.
I am trying to understand what I must do to have the ADF application adopt the subject set by the authentication provider - if anything?!
If you more ideas to share - I would love to hear them.
best regards,
Lucas -
Web Center app with ADF Security - login problem
I have a custome Oracle Web Center app.
I have a page.html with an embedded login form posting to j_security_check. I've configured the ADF security policies to redirect to a JSPX on successful login.
When I try the correct username/password, I get redirected not to the page I defined in ADF, but to the root page http://127.0.0.1:7101/MyApp-ViewController-context-root/
and i get
Error 403--Forbidden
I've checked the weblogic.xml as per http://andrejusb.blogspot.com/2009/12/solving-error-403-forbidden-in-adf.html, all the required entries are there.
This works fine if i use a Login link with
destination="#{'/adfAuthentication?login=true&end_url=/faces/postLogin.jspx'} "
which redirects to the default login.html and then to the right page. I've copied the form from the default login.html into my master HTML page.
Hope my question is clear. Any suggestions why it is going to the wrong URL after login.
Is there anything specific I should see in the jazn-data.xml or web.xml regarding the post-login URL since i cant see that in either.
P.S. Have been advised to try here when I originally asked this in the WebCenter forum. Web Center app ADF Security - login problem
Edited by: new_to_webcenter on 18-Jan-2011 05:25Thanks for your response Frank.
The web.xml has
<security-constraint>
<web-resource-collection>
<web-resource-name>adfAuthentication</web-resource-name>
<url-pattern>/adfAuthentication</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>valid-users</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/login.html</form-login-page>
<form-error-page>/error.html</form-error-page>
</form-login-config>
</login-config>
When configuring ADF Security via JDev , I chose "Redirect upon successful authentication" to the Welcome Page
"/faces/postLogin.jspx"
this then adds into web.xml
<servlet>
<servlet-name>adfAuthentication</servlet-name>
<servlet-class>oracle.adf.share.security.authentication.AuthenticationServlet</servlet-class>
<init-param>
<param-name>success_url</param-name>
<param-value>/faces/postLogin.jspx</param-value>
</init-param>
<load-on-startup>1</load-on-startup>
</servlet>
So the sequence which works is:
Login via the '/adfAuthentication?login=true&end_url=/faces/postLogin.jspx' and this redirects to login.html (OOTB form which posts to j_security_check) and then to the postLogin.jspx
I'm trying to do away with a Login link, and trying the simple login form embedded in my page alongwith other content.
So should the form be posting to j_security_check directly or to the adfAuthentication ? -
JDev 10g - Security - web.xml - URL pattern matching
Hello,
I use JDeveloper 10.1.3.4. It's 4 hours I try to figure out what is going on:
I set security constraint in web.xml:
<security-constraint>
<web-resource-collection>
<web-resource-name>books</web-resource-name>
<url-pattern>faces/app/books/*</url-pattern>
<url-pattern>faces/*/app/books/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>books</role-name>
</auth-constraint>
</security-constraint>
User is logged in with role "books" for sure.
http://192.168.0.109:8988/lib/faces/app/books/page.jspx can be seen
but dialogs can't be seen, url is : http://192.168.0.109:8988/lib/faces/__ADFv__?_afPfm=1.5&_t=fred&_vir=/app/books/Search.jspx&loc=en&_rtrnId=2it redirects to login page.
Another thing, when I set only one url pattern : faces/app/books/*.jspx
I can't even see faces/app/books/page.jspx page!
It's very curious, have to be something else somewhere to set, because in SRDemo app this 2 cases don't cause problems.
Bart
snowface.net - snowboard equipement reviewsHi,
dialogs are not opened by a GET request, which is what container managed authorization looks at. It basically bypasses this kind of security, which means that developers should check manually on teh command component that launches teh dialog if the authenticated user is allowed to do this. Also note that the default JSfnavigation is by postback which means you have to set all navigation to use the redirect flag to make it work with container managed security
Frank -
Web.xml problem and using of FrontController Pattern
I use FrontController pattern and created servlet ControllerServlet.
I want that when users open my site (for example mysite.com) all requests goes to controller? and even when users enter diretc path to jsp or servlet all requests were sent to ControllerServlet.
in my As I read in "Java Servlet and JSP CookBook" for this I have to write in web.xml file such code:
<servlet-mapping>
<sevlet-name>ControllerServlet</servlet-name>
<url-pattern>/*</url-pattern>
</sevlet-mapping>so any requests will be sended to my controller servlet.
But now I have other problem. How I have to call my jsp pages? When I use RequestDispatcher and forward reques to jsp pahe login.jsp, I have error because this request again redirects to controller.
PS For calling servlet I have solve of this problem I just have to add to web.xml file security-constraint element for needed servlets.You really shouldn't have to map all urls to your ControllerServlet. Set the welcome file in the web.xml to open index.html and in index.html use JavaScript to direct the page to the ControllerServlet. Now as long as you only do RequestDispatcher forwards (no sendRedirects), all hyper links point to the ControllerServlet and all form actions point to the ControllerServlet you are okay. The reason is that the user will nevr see anything else in the browser address other than the ControllerServlet url and should never know the url of any other JSP or Servlet to request them directly.
-
Dear programmers
I tries to use form base login and unfortuanetly nothing happen.
I have written this little form:
<form method="post" action="j_security_check">
<table width="80%">
<tr>
<td width="20%" align="right">
UserId:
</td>
<td>
<input size="20" type="text" name="j_username" maxlength="25">
</td>
</tr>
<tr>
<td align="right">
Password:
</td>
<td>
<input size="20" type="password" name="j_password" maxlength="25">
</td>
</tr>
<tr>
<td></td>
<td>
<input type="submit" name="action" value="Login"> �
<input type="reset" name="reset" value="Clear">
</td>
</table>
</form>and configured the web.xml this way:
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/jsp/login.jsp</form-login-page>
<form-error-page>/jsp/error.jsp</form-error-page>
</form-login-config>
</login-config>I did everything like in the example of http://www.redbooks.ibm.com/abstracts/tips0220.html?Open
I expected that when I'll try to navigate a page in my application, I'll be automatically redireced to the login page. Unfortuanetly it didn't happen.
Did I do something wrong?
Should I do something on the server? (I use websphere 5.1.2).Hi adslyl, thanks for the reply.
I have defined the following security-constrain:
<security-constraint>
<web-resource-collection>
<web-resource-name>(New Web Resource Collection)</web-resource-name>
<description></description>
<url-pattern>/faces/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
</security-constraint>But it seems that it doesn't help. If I understand it correctly every reference to doGet() or doPost() should perform this security mechanism. Am I right? -
Hi there,
on our projects web pages we use struts, to combine the html of our pages with the java code behind. To enable SSL I added a security constraint to the web.xml:
<security-constraint>
<display-name>SSL Constraint</display-name>
<web-resource-collection>
<web-resource-name>secured login resource</web-resource-name>
<description></description>
<url-pattern>/index.html</url-pattern>
<url-pattern>*.do</url-pattern>
<http-method>GET</http-method>
<http-method>PUT</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<description></description>
<role-name>authenticatedUser</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint> Some of our web pages need to use no SSL. So I added (for first testing) a second security constraint to the web.xml and defined which pages should be without SSL:
<security-constraint>
<display-name>No-SSL Constraint</display-name>
<web-resource-collection>
<web-resource-name>businesstransaction resource</web-resource-name>
<description></description>
<url-pattern>*.go</url-pattern>
<http-method>GET</http-method>
<http-method>PUT</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<description></description>
<role-name>authenticatedUser</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>As you can see, I exchanged *.do with *.go for testing. I simply defined all actions I want to be used without SSL with a .go instead of a .do in the struts.config.
In principle it works, but there is a problem: The default behaviour for struts seems to be that the name of the new action is posted in the url at the end of the standard starting url.
Our url starts with https://localhost:9443/client-web/, and whatever action I start, this url text in the browser window never changes, regardless of wether the next action would be protected or not.
First I thought my url pattern would be wrong, or the user or whatever. But then I found out, that when changing the url in the browser window by hand to http://localhost:9080/client-web/ it works. The web page then is without SSL active. And when I manually change the url while viewing a page that is meant to be SSL protected, the browser automatically changes to the SSL adress.
But then again, moving to a page without SSL does not enforce the browser to change its adress to the no SSL String. So again, SSL is active though a non secure access would be allowed.
Anybody has any idea how to change this default behaviour? It would be important to not only tell the server that non secure would be ok, but to actually USE non secure connection automatically.
The internet explorer is not able to upload files in SSL mode (though any other browser is able to), and our customer insists on using IE. And to tell the users "oh, just edit the line there in the window manually and reload the page will help ... or use Firefox" will not be a suitable solution.
Regards, Rommie.There is a plugin called sslext which will do most of what you need.
http://sslext.sourceforge.net/
I think the last time I used it I made some changes to the plugin source so that I could force non-ssl to be the default behavour unless SSL was explictily stated in struts.config, but can't remember for sure. Bottom line is it will do most of what you need and can probably be modified to do the rest without too much trouble. -
Hi,
I have different sets of users coming from different databases and using different
roles mapping for each of my web applications. I would like to configure a specific
security realm per application in my weblogic server 7.0 . Is it possible ?
I try to specify the realm-name of the login-config tag from the web-xml deployement
descriptor but it doesn't make any difference. The default realm is always used.
I also would like to tell the Weblogic server to use the default realm in case
the realm isn't specified or isn't found. For example, the default would contains
my admin users.
Thanks a lot for your answer.
IzI thik this is a common mistake the ralm-name tag in the deployment descriptor is used
just by the browser for display purposes (when it opens the basic auth dialog box) so as
of now there is only 1 active realm which can have multiple providers as Kevin pointed
out
Kevin Lewis wrote:
WebLogic 7 now ignores the realm-name tag (I found that out yesterday).
My understanding is that there is only one realm active at a time for a domain
(I would be interested in being contradicted in this).
However, you can have multiple providers in each category of a realm: authentication,
authorization, etc. Therefore, what you can do is key authentication, et al,
off of some other information. We have our users enter their company, for example,
and use the TextInputCallback to get it. You could also encode something in the
initial page, based on the URL they hit, or whatever, and get that back in your
callback.
You can store that information in your own Principal implementation, and key off
of that in your authorization provider, going to a different database as appropriate,
or abstaining when a specific provider doesn’t have anything to say about a subject.
Anyway, there should be a way to do it, even if it's more complex than you would
have hoped.
--Kevin -
Web Center app ADF Security - login problem
I'm making an Oracle Web Center app.
I have an app page.html with an embedded login form posting to j_security_check. I've configured the ADF security policies to redirect to a JSPX on successful login.
When I try the correct username/password, I get redirected not to the page I defined in ADF, but to the http://127.0.0.1:7101/MyApp-ViewController-context-root/
and i get
Error 403--Forbidden
I've checked the weblogic.xml as per http://andrejusb.blogspot.com/2009/12/solving-error-403-forbidden-in-adf.html, all the entries are there.
This works fine if i use a Login link with
destination="#{'/adfAuthentication?login=true&end_url=/faces/postLogin.jspx'} "
which redirects to the default login.html and then to the right page. I've copied the form from the default login.html into my master HTML page.
Hope my question is clear. Any suggestions why it is going to the wrong URL after login.
Is there anything specific I should see in the jazn-data.xml or web.xml regarding the post-login URL since i cant see that in either.Ah so when you try to access a JSPX page it works but when you try to access an HTML page it does not work?
I can't see what the problem could be if it works for a JSPX but not for an HTML. Perhaps something with the filters in the web.xml
Maybe you should ask this at the ADF forum: JDeveloper and ADF
The guys there have way more understanding about this stuff than here. -
Security in my web.xml in Tomcat 4
Hello,
I was using this application on Tomcat 3 and my web.xml worked perfectly well.
However when I tried to start it on Tomcat 4 there is something wrong with the
security part of my web.xml . If I leave out the security constraint for this application, it
works. However if I make my application secure I am unable to view it in the browser.
It does not try to connect to the login.jsp page for log in , but simply displays the message that the page is unavailable and that I have to refresh my browser. Please help me with that because I am stuck.
Here is my web.xml :
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE web-app
PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN"
"http://java.sun.com/dtd/web-app_2_3.dtd">
<web-app>
<servlet>
<servlet-name>UploadServlet</servlet-name>
<servlet-class>UploadServlet</servlet-class>
<init-param>
<param-name>SaveDirectory</param-name>
<param-value>C:\Homeworks\</param-value>
</init-param>
<init-param>
<param-name>Proffesors</param-name>
<param-value>Clayton,Douglass,Guruvado</param-value>
</init-param>
</servlet>
<security-constraint>
<display-name>Protected Homework Upload</display-name>
<web-resource-collection>
<web-resource-name>Protected Area</web-resource-name>
<!-- Define the context-relative URL(s) to be protected -->
<!--<url-pattern>/servlet/Upload</url-pattern>-->
<url-pattern>/servlet/UploadServlet</url-pattern>
<!-- If you list http methods, only those methods are protected -->
<http-method>DELETE</http-method>
<http-method>GET</http-method>
<http-method>POST</http-method>
<http-method>PUT</http-method>
</web-resource-collection>
<auth-constraint>
<!-- Anyone with one of the listed roles may access this area -->
<role-name>student</role-name>
<role-name>proffesor</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<realm-name>Example Form-Based Authentication Area</realm-name>
<form-login-config>
<form-login-page>/login.jsp</form-login-page>
<form-error-page>/error.jsp</form-error-page>
</form-login-config>
</login-config>
</web-app>
Thank you very much for your time and advise. I appreciate it very much
Martinhi,slice
I donot really find exactly what is wrong in your config file. But I have some suggestions:
1.Please use servlet URL mapping in "servlet" tag (for example: "/security/upload") instead of using default servlet URL(just like "/servlet/UploadServlet").
2. In the "url-pattern" tag inside "web-resource-name" ,please using "/security/*", if you are using my suggestion above.
3.Make sure that your "login.jsp" page is in the right place of the application's doc-root.
Make a try and good luck!
Wang Yu
Developer Technical Support
Sun Microsystems
http://sun.com/developers/support -
Hi all
I am doing a web-based project, registered user need to log in before they view the member area pages.
I have created a directory, called "client", in the Tomcat 4.1.24/webapps/ROOT/client I have put a index.html in the client directory. This index.html only can be viewed by the client after log in.
For the best of my knowledge in Tomcat, in order to do this, I have created a web.xml in Tomcat_home/webaggs/ROOT/WEB-INF/web.xml, in the url-pattern section, I put /client/* to tell the tomcat server that index.html in client directory is the first page after user login.
The problem is, I couldnt see the member welcome page after I login as a member, the browser gave me the error: HTTP status 400 - Invalid direct reference to form login page. However, if I specified the address http://localhost:8080/client/index.html , it show me the login page and after I input the username and password I can see the member welcome page.
I dont know whether is something wrong with the web.xml or I should do other thing to let the server know which is the first page after member login.
Thank you very much
Kelvin
=====================================================
<web-app>
<security-constraint>
<web-resource-collection>
<web-resource-name>Security</web-resource-name>
<url-pattern>/client/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>administrator</role-name>
<role-name>client</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/login.html</form-login-page>
<form-error-page>/login_error.html</form-error-page>
</form-login-config>
</login-config>
</web-app>
=====================================================Wow, you really are in the wrong place with this query, its not really even java ;o) This is the new to java forum! Perhaps you would be better off (in fact I know for a FACT that you will be as I have seen answers to identical problems there) in the Tomcat-user list...
Go HERE:
http://www.mail-archive.com/[email protected]/
and search -
hello i'm java junior programmer.
my file web.xml bind the follow tag
<security-constraint>
<web-resource-collection>
<web-resource-name>UIWebSecurity</web-resource-name>
<description></description>
<url-pattern>/</url-pattern>
<http-method>
GET</http-method>
<http-method>
POST</http-method>
</web-resource-collection>
<auth-constraint>
<description>Utente Autenticato</description>
<role-name>UtenteAutenticato</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<realm-name>OpenWAY</realm-name>
<form-login-config>
<form-login-page>/login.html</form-login-page>
<form-error-page>/error.jsp</form-error-page>
</form-login-config>
</login-config>
bat a i got a trouble .
after my login in login.html page ,the application required my ather log
thanks for help mePlease read the Servlet specification for details on how to specify url-patterns (see section 11.2). Your "index.*" is not a legal pattern. You can only end in "/*" or "*.foo". See Servlet spec.
If after fixing that you have more questions, please include the actual sequence of requests (and responses), preferably from a network snoop. -
Hi all,
1)I have webapplication , I want to use form authentication to security it , under my root test , I have login.html, and secure folder ( group of pages),
I have two tables in my sql server , they are users, and user_role, mean time I give every user role member.
2) in my conf/server
I have <Realm className="org.apache.catalina.realm.JDBCRealm" debug="99"
driverName="com.microsoft.jdbc.sqlserver.SQLServerDriver"
connectionURL="jdbc:microsoft:sqlserver://localhost:1433"
connectionName="test" connectionPassword="1234"
userTable="users" userNameCol="Name" userCredCol="user_pass"
userRoleTable="user_roles" roleNameCol="role_name" />in my root test, I have web xml
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE web-app
PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN"
"http://java.sun.com/dtd/web-app_2_3.dtd">
<web-app>
<welcome-file-list>
<welcome-file>Home.html</welcome-file>
</welcome-file-list>
<security-constraint>
<web-resource-collection>
<web-resource-name>SecurePages</web-resource-name>
<description>Security constraint for resources in the secure directory</description>
<url-pattern>/secure/*</url-pattern>
<http-method>GET</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>member</role-name>
</auth-constraint>
<user-data-constraint>
<description>SSL not required</description>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/Home.html</form-login-page>
<form-error-page>/ErrorLogin.jsp</form-error-page>
</form-login-config>
</login-config>
</web-app> if I take away the security <auth-constraint>
<role-name>member</role-name>
</auth-constraint> in my web xml the whole application work fine after login, jump from page to page, action to action. but if I add it , I only can go to one page , every time I click the link it jump back to login page .
What mistake I make??
Best regard.Hi,
I'm assuming you invoking the JWS from JPD via a service control.
In this case, the serviceControl has setUsername and setPassword method which will allow you to specify the username and password
cheers
Raj -
Security constraint in web.xml
Hi All
I want to set a security contraint to verfity my system user, I know I need to put the following section into the tomcat created web.xml. But I dont know where is the web.xml on my Tomcat 4.1.24, because i found many web.xml files in different directory.
Q1) Sorry I know this is a silly question, but can u tell me which web.xml is the one I need to edit in order to set my the security constraint?
Q2) Instead of editing the created Tomcat web.xml, can I create my own web.xml and put it in <Tomcat_Homw>/webapps/ROOT/WEB-INF. This is just only for the security constraint towards my system.
Many many thanks
Kelvin
<security-constraint>
<web-resource-collection>
<web-resource-name>Administration</web-resource-name>
<url-pattern>/admin</url-pattern>
<url-pattern>/users</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>administrator</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/login</form-login-page>
<form-error-page>/login-error</form-error-page>
</form-login-config>
</login-config>
<security-role>
<role-name>administrator</role-name>
</security-role>you need to do it for every web-app... thats why there is one web.xml file for each! There is a thing in CATALINA_HOME/conf/server.xml that u can uncomment to enable 'single-logon' which means u cna log on once and be authenticated for every web-app...
root isn't a web-app i don't think... so therefore u can't restrict access to it (someone correct me if wrong)... I don't know what u mean by restricting access to your 'system'
Maybe you are looking for
-
Is there a way of parenting objects in Muse?
Hi, I'm creating a page where there are some parallaxing elements. I want a tooltip widget to stick to one of these parallaxing objects, but they keep sliding apart. It seems it's a too clumsy method to make the widget have the exact same parallaxing
-
FLASH BUILDER 4.7 PROBLEM PLEASE HELP
Hello, So i just ordered the adobe creative cloud service today and downloaded the adobe application manager, installed Flash Builder 4.7 and then preceded to create a flash game. It had tons of errors with my code so i then just did the simple Hell
-
Keyboard shortcuts in JTabbedPane don't work in BorderLayout
I'm mystified by a problem that doesn't seem to make any sense. I have a JTabbedPane with mnemonics, that used to work well before. But since I've shuffled components around a bit and put the JTabbedPane in the BorderLayout.CENTER of a JPanel, the ke
-
Active Directory RDP Logon Issue
I have a problem logging on to my test domain, here are the setup and symptoms Domain Prod: ua.here.someplace.com Domain Test: ua.test-here.someplace.com Domains totally separate DNS and WINS, although they are on the same subnets. From my admin
-
Close blackberry browser session
Hi, We have a WD Java application for blackberry thats being launched from within the extended notification email. Once the user approves / rejects from within the application we want to provide them with a close or exit link which would close the br