I am learning basic web app security from "head first jsp and servlets". There is no code for the security app except web.xml and tomcat-users.xml settings. I followed the book and tried to make my own code, but I am not able to control access to my web app.
Anyone can access it despite setting the roles in tomcat-users.xml and editing web.xml. Please help me to understand this and complete my example. I am using Eclipse kepler and Tomcat 6.0.
Eclipse project:
Expectation: Run start.html and click the submit button to access SecureServlet. Container should ask you for a login to access that servlet. If the login matches the one in web.xml settings, then you are shown the secret.jsp page.
Output: There is no security. You can see secret.jsp without entering any login.
Tomcat-users.xml:
<tomcat-users>
<role rolename="Admin"/>
<role rolename="Member"/>
<role rolename="Guest"/>
<user username="jim" password="admin" roles="Admin, Member, Guest" />
<user username="tim" password="premium" roles="Member, Guest" />
<user username="fred" password="regular" roles="Guest" />
</tomcat-users>
web.xml: Put the code in both tomcat's web.xml and my web app's web.xml to be safe.
<web-app>
<security-constraint>
<web-resource-collection>
<web-resource-name>WebSecurity</web-resource-name>
<url-pattern>/secretServlet</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>Admin</role-name>
<role-name>Member</role-name>
</auth-constraint>
</security-constraint>
<security-role>
<role-name>Admin</role-name>
</security-role>
<security-role>
<role-name>Member</role-name>
</security-role>
<security-role>
<role-name>Guest</role-name>
</security-role>
<login-config>
<auth-method>BASIC</auth-method>
</login-config>
<!--If web app web. xml, then add the mapping below-->
<servlet>
<description></description>
<display-name>SecretServlet</display-name>
<servlet-name>SecretServlet</servlet-name>
<servlet-class>foo.SecretServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>SecretServlet</servlet-name>
<url-pattern>/SecretServlet</url-pattern>
</servlet-mapping>
</web-app>
Html start page:
Enter here:<br>
<form method=post action="/WebSecurity/SecretServlet" >
<input type="submit" name="submit" value="try to access!">
</form>
Servlet:
package foo;
import java.io.IOException;
import javax.servlet.RequestDispatcher;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
public class SecretServlet extends HttpServlet {
private static final long serialVersionUID = 1L;
public SecretServlet() {
super();
}
protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
RequestDispatcher view = request.getRequestDispatcher("/jsp/secret.jsp");
view.forward(request, response);
}
protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
RequestDispatcher view = request.getRequestDispatcher("/jsp/secret.jsp");
view.forward(request, response);
}
}
secret.jsp:
<h3>Congratulations ! You entered the secure area.</h3>
