You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Kevin Andryc <ka...@miser.umass.edu> on 2002/07/03 19:54:13 UTC
RE: j_security_check question: RequestDispatcher .forward!!
OK,
So I found that I can access my servlet if I don't use the
RequestDispatcher .forward method. In other words, when I try and access my
page (e.g.: http://localhost:8080/dev/servlet/ProtectedPage) I get a login
JSP form that I specified. When I login successfully,the login page
reappears when, in my ProtectedPage servlet, I use the RequestDispatcher
.forward method instead of using a PrintWriter to send back the response.
Why can I not use the RequestDispatcher, if I can, how???
Below is some code.
Web.xml
<security-constraint>
<display-name>Example Security Constraint</display-name>
<web-resource-collection>
<web-resource-name>Protected Area</web-resource-name>
<!-- Define the context-relative URL(s) to be protected -->
<url-pattern>/servlet/*</url-pattern>
<url-pattern>/jsp/security/*</url-pattern>
<!-- If you list http methods, only those methods are protected -->
<http-method>DELETE</http-method>
<http-method>GET</http-method>
<http-method>POST</http-method>
<http-method>PUT</http-method>
</web-resource-collection>
<auth-constraint>
<!-- Anyone with one of the listed roles may access this area -->
<role-name>user</role-name>
<role-name>tomcat</role-name>
</auth-constraint>
</security-constraint>
<!-- Default login configuration uses form-based authentication -->
<login-config>
<auth-method>FORM</auth-method>
<realm-name>Example Form-Based Authentication Area</realm-name>
<form-login-config>
<form-login-page>/jsp/security/login.jsp</form-login-page>
<form-error-page>/jsp/security/error.jsp</form-error-page>
</form-login-config>
</login-config>
ProtectedPage.java
public class ProtectedPage extends HttpServlet {
// Default constructor
public ProtectedPage() {
super();
}
public void doGet(HttpServletRequest request, HttpServletResponse response)
{
performTask(request, response);
}
public void doPost(HttpServletRequest request, HttpServletResponse
response) {
performTask(request, response);
}
public void performTask(HttpServletRequest request, HttpServletResponse
response) {
try {
String jspPage = "index.jsp";
RequestDispatcher rd =
getServletContext().getRequestDispatcher("/jsp/security/" + jspPage);
rd.forward(request, response);
}
catch(Exception e) {
e.printStackTrace();
}
}
}
index.jsp
<html>
<head>
<title>Protected Page for Examples</title>
</head>
<body bgcolor="white">
You are logged in as remote user <b><%= request.getRemoteUser() %></b>
in session <b><%= session.getId() %></b><br><br>
<%
if (request.getUserPrincipal() != null) {
%>
Your user principal name is
<b><%= request.getUserPrincipal().getName() %></b><br><br>
<%
} else {
%>
No user principal could be identified.<br><br>
<%
}
%>
<%
String role = request.getParameter("role");
if (role == null)
role = "";
if (role.length() > 0) {
if (request.isUserInRole(role)) {
%>
You have been granted role <b><%= role %></b><br><br>
<%
} else {
%>
You have <i>not</i> been granted role <b><%= role %></b><br><br>
<%
}
}
%>
</body>
</html>
Kevin Andryc
Web Systems Engineer
MISER
http://www.umass.edu/miser/
Phone: (413)-545-3460
kandryc@miser.umass.edu
-----Original Message-----
From: John Gregg [mailto:john.gregg@techarch.com]
Sent: Tuesday, July 02, 2002 04:48 PM
To: 'Tomcat Users List'
Subject: RE: j_security_check question
No can do-ski. The container needs to know where to send the user upon
successful authentication, but if your application presents a form to a user
that gets submitted to j_security_check, the Tomcat authentication stuff
won't know where to send the user when the operation completes. Your
web.xml and login.jsp look ok. You just don't want your application to
serve a page that goes to j_security_check directly. Instead, Tomcat
decides automagically when you need to login. It then inserts itself into
the application flow by remembering where the user was trying to go, sending
the login page that you specify, then redirecting (or forwarding?) the user
to that place upon successful login. Before using container-managed
security I was so used to creating AND SERVING my own login pages that it
took a while to wrap my brain around the fact that I no longer had to do
stuff like "if (req.getSession(false)) == null) then send login page...."
Just code your servlet to do what you want and let Tomcat worry about
when/if to present the login page. The URL you'll access will be the
servlet or jsp that kicks off your business logic, not the login logic.
john
-----Original Message-----
From:
tomcat-user-return-24806-john.gregg=techarch.com@jakarta.apache.org
[mailto:tomcat-user-return-24806-john.gregg=techarch.com@jakarta.apache.
org]On Behalf Of Kevin Andryc
Sent: Tuesday, July 02, 2002 1:40 PM
To: Tomcat Users List; john.gregg@techarch.com
Subject: RE: j_security_check question
CustomLogin.class is a resource at a protected URL which also contains the
login form. So here is how it works (or how I would like it to work). I have
a CustomLogin class:
CustomLogin.class (located in /dev/WEB-INF/classes/)
public class CustomLogin extends HttpServlet {
public CustomLogin() {
super();
}
public void doGet(HttpServletRequest request, HttpServletResponse
response)
{
performTask(request, response);
}
public void doPost(HttpServletRequest request, HttpServletResponse
response) {
performTask(request, response);
}
public void performTask(HttpServletRequest request,
HttpServletResponse
response) {
try {
String jspPage = "login.jsp";
RequestDispatcher rd =
getServletContext().getRequestDispatcher("/jsp/security/" + jspPage);
rd.forward(request, response);
}
catch(Exception e) {
e.printStackTrace();
}
}
}
login.jsp (located in /dev/jsp/security/)
<html>
<head>
<title>Login Page for Examples</title>
<body bgcolor="white">
<form method="POST" action='<%= response.encodeURL("j_security_check") %>' >
<table border="0" cellspacing="5">
<tr>
<th align="right">Username:</th>
<td align="left"><input type="text" name="j_username"></td>
</tr>
<tr>
<th align="right">Password:</th>
<td align="left"><input type="password" name="j_password"></td>
</tr>
<tr>
<td align="right"><input type="submit" value="Log In"></td>
<td align="left"><input type="reset"></td>
</tr>
</table>
</form>
</body>
</html>
web.xml
<security-constraint>
<display-name>Example Security Constraint</display-name>
<web-resource-collection>
<web-resource-name>Protected Area</web-resource-name>
<!-- Define the context-relative URL(s) to be protected -->
<url-pattern>/servlet/*</url-pattern>
<!-- If you list http methods, only those methods are protected -->
<http-method>DELETE</http-method>
<http-method>GET</http-method>
<http-method>POST</http-method>
<http-method>PUT</http-method>
</web-resource-collection>
<auth-constraint>
<!-- Anyone with one of the listed roles may access this area -->
<role-name>user</role-name>
</auth-constraint>
</security-constraint>
<!-- Default login configuration uses form-based authentication -->
<login-config>
<auth-method>FORM</auth-method>
<realm-name>Example Form-Based Authentication Area</realm-name>
<form-login-config>
<form-login-page>/servlet/CustomLogin</form-login-page>
<form-error-page>/jsp/security/error.jsp</form-error-page>
</form-login-config>
</login-config>
The user will type in the URL:
http://localhost:8080/dev/servlet/CustomLogin. The login form does appear.
But once I enter the login information (username and password) the "Invalid
direct reference to form login page" appears. What I want it to have the
user type in http://localhost:8080/dev/servlet/CustomLogin and login. If
they are successful, then it should then direct them to the CustomLogin
servlet so I can get the user information and customize the page according
to who is logged in. I hope this makes sense. I just can't seem to get it to
work or how to make it work.
Thanks,
Kevin
Kevin Andryc
Web Systems Engineer
MISER
http://www.umass.edu/miser/
Phone: (413)-545-3460
kandryc@miser.umass.edu
--
To unsubscribe, e-mail:
<ma...@jakarta.apache.org>
For additional commands, e-mail:
<ma...@jakarta.apache.org>
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>