Bartha Gabor wrote:
> HI everybody,
>
> I'm new in this mailinglist, I hope this is not an offtopic problem.
> I'm using Tomcat and .jsp pages for managing user access to some of my
> files. I would like to hide my data in a directory which is forbidden
> for everybody expect registered users who have password - my first page
> is a login.jsp where users can login.
> How can I hide the directory to be forbidden for everybody except for
> logged users using JSP?
If the set of valid users can be maintained by an admin (instead of
the users themselves), I suggest that you use container-controlled
access control for this. You can declare which pages should be
protected and which authentication mechanism should be used in the
web.xml file for the application:
<web-app>
...
<security-constraint>
<web-resource-collection>
<web-resource-name>secret</web-resource-name>
<url-pattern>/protected/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>validUser</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<!-- How to authenticate (log in): BASIC, DIGEST or FORM -->
<auth-method>BASIC</auth-method>
<realm-name>Protected Space</realm-name>
</login-config>
<!-- All roles used by the app -->
<security-role>
<role-name>validUser</role-name>
</security-role>
...
</web-app>
With this declaration, anyone who tries to access a page under
a directory named "protected" will be prompted for a username
and password by the browser (using the Basic Authentication
scheme). If the information matches a user defined by the
container as a member of the role "validUser", the page will be
returned.
How users are assigned to roles varies between containers.
For Tomcat, a simple default is to define them in a file named
tomcat-users.xml in the Tomcat "conf" directory.
For details about this, I suggest you look for online tutorials
or books, starting with the links at the bottom of this mail. The
same if you must roll your own authentication and access control
functions. It's way too much to describe in detail in a mail.
Hans
--
Hans Bergsten [EMAIL PROTECTED]
Gefion Software http://www.gefionsoftware.com
JavaServer Pages http://TheJSPBook.com
===========================================================================
To unsubscribe: mailto [EMAIL PROTECTED] with body: "signoff JSP-INTEREST".
For digest: mailto [EMAIL PROTECTED] with body: "set JSP-INTEREST DIGEST".
Some relevant FAQs on JSP/Servlets can be found at:
http://archives.java.sun.com/jsp-interest.html
http://java.sun.com/products/jsp/faq.html
http://www.esperanto.org.nz/jsp/jspfaq.jsp
http://www.jguru.com/faq/index.jsp
http://www.jspinsider.com
