I was wondering if anyone had an answer to this or should I e-mail the Developers group? I found this snippet on the web and tried what they suggested and it still doesn't work:
[begin quote] One approach that will work in Tomcat 4.0 (because it was planned that way in the servlet 2.3 spec) is based on the following reasoning: * Security constraints are imposed only on the original request URI, not when doing RequestDispatcher.include or RequestDispatcher.forward * Therefore, we can prohibit direct access to servlets (or JSP pages) by protecting them with a security constraint that disallowed access. * In 2.3, if you define a security contraint that has an <auth-constraint> element with no nested <role-name> elements, the container interprets this to mean that absolutely no direct access to the protected URIs is allowed via requests -- they can only be accessed indirectly via a RequestDispatcher. * You can simulate this behavior in 2.2 by using a security constraint with a <role-name> to which no users have been assigned. Doing this forces all requests to come through your controller servlet, because none of the JSP pages would be directly accessible. [end quote] Kevin Kevin Andryc Web Systems Engineer MISER http://www.umass.edu/miser/ Phone: (413)-545-3460 [EMAIL PROTECTED] -----Original Message----- From: Kevin Andryc [mailto:[EMAIL PROTECTED]] Sent: Thursday, July 04, 2002 05:31 PM To: Tomcat Users List Subject: RE: j_security_check question: RequestDispatcher .forward!! PLZ HELP! I am currently using Tomcat 4.0.4. My problem is that when I use the RequestDispatcher and forward the request to the index.jsp page, it does not work. Instead I get the login page. If you look at ProtectedPage.java, you can see I forward the request to the index.jsp page. If it worked correctly, I would type in (http://localhost:8080/dev/servlet/ProtectedPage) and a login prompt would appear (login.jsp). Once I successfully logged in, I should then go to my servlet (ProtectedPage), which should show index.jsp. Instead, I get the login.jsp form when I successfully log in. When I changed the ProtectedPage.java code so that it doesn't use the RequestDispatcher and instead used a PrintWriter, it works fine. My question is, why can I not use the RequestDispatcher?? Thanks for your help :). Kevin Kevin Andryc Web Systems Engineer MISER http://www.umass.edu/miser/ Phone: (413)-545-3460 [EMAIL PROTECTED] -----Original Message----- From: Craig R. McClanahan [mailto:[EMAIL PROTECTED]] Sent: Thursday, July 04, 2002 05:25 PM To: Tomcat Users List Subject: Re: j_security_check question: RequestDispatcher .forward!! PLZ HELP! On Thu, 4 Jul 2002, Kevin Andryc wrote: > Date: Thu, 04 Jul 2002 15:46:04 -0400 > From: Kevin Andryc <[EMAIL PROTECTED]> > Reply-To: Tomcat Users List <[EMAIL PROTECTED]> > To: Tomcat Users List <[EMAIL PROTECTED]> > Subject: j_security_check question: RequestDispatcher .forward!! PLZ HELP! > > OK, > So I found that I can access my servlet if I don't use the > RequestDispatcher .forward method. In other words, when I try and access my > page (e.g.: http://localhost:8080/dev/servlet/ProtectedPage) I get a login > JSP form that I specified. When I login successfully,the login page > reappears when, in my ProtectedPage servlet, I use the RequestDispatcher > .forward method instead of using a PrintWriter to send back the response. > Why can I not use the RequestDispatcher, if I can, how??? > If you are using Tomcat 3.x, you'll have a problem with your example code below, because you've got the form login page inside your protected area. That works fine in Tomcat 4, however. In Tomcat 3, move your login page to some directory that is *not* protected by a security constraint. What is not obvious from your question is what it is, exactly, that you are asking. You seem to claim that you cannot use a request dispatcher, but your code is doing exactly that. So what is the problem? Craig > Below is some code. > > Web.xml > <security-constraint> > <display-name>Example Security Constraint</display-name> > <web-resource-collection> > <web-resource-name>Protected Area</web-resource-name> > <!-- Define the context-relative URL(s) to be protected --> > <url-pattern>/servlet/*</url-pattern> > <url-pattern>/jsp/security/*</url-pattern> > <!-- If you list http methods, only those methods are protected --> > <http-method>DELETE</http-method> > <http-method>GET</http-method> > <http-method>POST</http-method> > <http-method>PUT</http-method> > </web-resource-collection> > <auth-constraint> > <!-- Anyone with one of the listed roles may access this area --> > <role-name>user</role-name> > <role-name>tomcat</role-name> > </auth-constraint> > </security-constraint> > > <!-- Default login configuration uses form-based authentication --> > <login-config> > <auth-method>FORM</auth-method> > <realm-name>Example Form-Based Authentication Area</realm-name> > <form-login-config> > <form-login-page>/jsp/security/login.jsp</form-login-page> > <form-error-page>/jsp/security/error.jsp</form-error-page> > </form-login-config> > </login-config> > > ProtectedPage.java > public class ProtectedPage extends HttpServlet { > > // Default constructor > public ProtectedPage() { > super(); > } > > public void doGet(HttpServletRequest request, HttpServletResponse response) > { > performTask(request, response); > } > > public void doPost(HttpServletRequest request, HttpServletResponse > response) { > performTask(request, response); > } > > public void performTask(HttpServletRequest request, HttpServletResponse > response) { > > try { > String jspPage = "index.jsp"; > RequestDispatcher rd = > getServletContext().getRequestDispatcher("/jsp/security/" + jspPage); > rd.forward(request, response); > } > catch(Exception e) { > e.printStackTrace(); > } > } > } > > index.jsp > <html> > <head> > <title>Protected Page for Examples</title> > </head> > <body bgcolor="white"> > > You are logged in as remote user <b><%= request.getRemoteUser() %></b> > in session <b><%= session.getId() %></b><br><br> > > <% > if (request.getUserPrincipal() != null) { > %> > Your user principal name is > <b><%= request.getUserPrincipal().getName() %></b><br><br> > <% > } else { > %> > No user principal could be identified.<br><br> > <% > } > %> > > <% > String role = request.getParameter("role"); > if (role == null) > role = ""; > if (role.length() > 0) { > if (request.isUserInRole(role)) { > %> > You have been granted role <b><%= role %></b><br><br> > <% > } else { > %> > You have <i>not</i> been granted role <b><%= role %></b><br><br> > <% > } > } > %> > </body> > </html> > > > Kevin Andryc > Web Systems Engineer > MISER > http://www.umass.edu/miser/ > Phone: (413)-545-3460 > [EMAIL PROTECTED] > > > > > > -- > To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> > For additional commands, e-mail: <mailto:[EMAIL PROTECTED]> > > -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]> -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
