How to use servlet and jsp with authentication?

Question

I'm using Eclipse IDE with tomcat 7.0.

I have a web application, now in the web application I have:

1. MainPage.html
2. Servlet1 (java class)
3. Some jsp files. (some of them are only for administrator - for example, driving_page.jsp)

In the main page, i have 4 buttons inside a form that redirect to the servlet. When i click on one button, it goes to the servlet, the servlet redirect to driving_page.jsp but first it needs to show the login.jsp page and it didn't..

In chrome, i entered the driving_page URL as localhost:8080/TaxiWeb/driving_page.jsp and before it display the page, it show me the 'login.jsp page as it needs to be.

But if i click on the button in the MainPage.html which mentioned above, it skips on the login.jsp page and go directly to driving_page.jsp page. WHY?

NOTE: the driving_page.jsp file is inside the FOLDER:AdminPages.. so the url-pattern in the web.xml file is correct.

tomcat-users.xml:

<tomcat-users>
  <role rolename="tomcat"/>
  <role rolename="role1"/>
  <user username="tomcat" password="tomcat" roles="tomcat"/>
  <user username="both" password="tomcat" roles="tomcat,role1"/>  
  <user username="role1" password="tomcat" roles="role1"/>
</tomcat-users>

my web.xml file:

<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"    
xmlns="http://java.sun.com/xml/ns/javaee" 
xmlns:web="http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd" 
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee 
http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd" id="WebApp_ID" version="3.0">
<security-constraint>
  <web-resource-collection>
      <web-resource-name>Driving page</web-resource-name>
      <url-pattern>/AdminPages/*</url-pattern>
  </web-resource-collection>
  <auth-constraint>
      <role-name>role1</role-name>
  </auth-constraint>
  </security-constraint>
  <security-role><role-name>role1</role-name></security-role>

  <login-config>
  <auth-method>FORM</auth-method>
  <form-login-config>
      <form-login-page>/login.jsp</form-login-page>
      <form-error-page>/login_error.jsp</form-error-page>
  </form-login-config>
  </login-config>
  !-- ********************************************************************** -->
  <servlet>
     <servlet-name>Servlet1</servlet-name>
     <servlet-class>pack.servlets.servlet1</servlet-class>
  </servlet>
  <servlet-mapping>
     <servlet-name>Servlet1</servlet-name>
     <url-pattern>/Servlet1</url-pattern>
   </servlet-mapping>

and the servlet code: NOTE: i just add the mentioned button code in the servlet:

    else if (request.getParameter("submit").equals("Show Taxis at Driving"))
{
   request.getRequestDispatcher("AdminPages/driving_page.jsp").forward(request,response);
}

Answer 1

Here, you need to use response.sendRedirect(String location).This method sends back the response to the browser along with the status code and new page location. Now, browser again sends a new request for the redirected "location".
Here, you need to have a Filter on that URL and with in that filter, you need to check whether the user is allowed to view this page or not.

Answer 2

Your problem falls under the servlet spec 13.2 (Declarative Security)

The security model applies to the static content part of the web application and to servlets and filters within the application that are requested by the client.The security model does not apply when a servlet uses the RequestDispatcher to invoke a static resource or servlet using a forward or an include.

Basically your security constraint only gets picked up by the initial request and ignored by your servlet forward.

A fix for this would be to move all your secure JSP's under the WEB-INF folder so they can not be accessed directly. Update your forward paths to there. Then point your security constraints to cover your servlet rather than the JSP.