CODEWITHSUNDEEP
javaauthenticationtomcatservlets
user583933
user583933

Reputation: 119

Form authentication with Tomcat

I am trying to implement form based authentication with Tomcat. All my secured servlets are mapped under mydomain/myapp. I am able to secure this directory by following the basic tutorials and specifying the login and login_failed pages.

My problem is that I want an unsecured mydomain/index.html that contains the username/password forms so that a visitor can login from there. My best attempt so far doesn't work:

<form method="POST" action="myapp/">
  Username: <input type="text" name="j_username"> <br/> 
  Password: <input type="password" name="j_password">
  <input type="submit" value="Login">
</form>

Any suggestions?

Edit: Authentication works in the sense that if you try to access mydomain/myapp you get redirected to a login page. What I don't understand is how to allow the user to login without first attempting to access the protected pages.

Upvotes: 2

Views: 2464

Answers (3)

Shulem Neuwirth
Shulem Neuwirth

Reputation: 61

in the web.xml where you declare the security, you should declare it for both, secured resource and open resource.

just when declaring the open resource you don't write the 'aut-constaint' tags

for example the secured resource:

 <security-constraint>
    <web-resource-collection>
        <web-resource-name>restricted</web-resource-name>
        <url-pattern>/*</url-pattern>           
    </web-resource-collection>

    <auth-constraint>
        <role-name>*</role-name>
    </auth-constraint>
</security-constraint>

and for the open resource:

<security-constraint>
    <web-resource-collection>
        <web-resource-name>open</web-resource-name>
        <url-pattern>/path/to/open/resource</url-pattern>           
    </web-resource-collection>
</security-constraint>

Upvotes: 0

Dima R.
Dima R.

Reputation: 997

When user tries to access your secured resource (securedPage.jsp), they will be taken to your login page (login.jsp, for example). They will enter user name and password, then click 'Submit'. The form will be submitted using action j_security_check. This is what Container provides. So if the login is successfull, the user will be redirected to securedPage.jsp, otherwise he will be redirected to the error page, that you also have

Upvotes: 0

JB Nizet
JB Nizet

Reputation: 691625

Read paragraph 13.5.3.1 of the servlet specicification. It says : "In order for the authentication to proceed appropriately, the action of the login form must always be j_security_check".

So you have to change the action of your login form. It has to be j_security_check.

Upvotes: 1

Related Questions