I am trying to control access to web pages using a list of authorised roles.
The model would have each page in the secure area accessible by one or more
roles and have users authenticate themselves and be assigned one or more
roles. If the user has been assigned a role which is permitted access to
the page, the page will be displayed otherwise an error message will appear
and, ideally, the user will be offered the opportunity to log on again in
case the browser has been shared between different users.
I'm using a JDBC realm with a user and a role table. Authentication of the
user works and, in the simplest case, assignment of the role works.
If my web.xml file contains and auth-constraint stanza and the user has the
role specified, access is granted. If I remove the auth-constraint stanza
so I can do my own checking in the web page header, I get an SSL certificate
prompt but no logon prompt and then receive a "not authorized" (HTTP 401)
error.
web.xml snippet:
<security-constraint>
<web-resource-collection>
<web-resource-name>ScoutGroup-Secure</web-resource-name>
<url-pattern>/members/*</url-pattern>
</web-resource-collection>
<!--
<auth-constraint>
<role-name>member</role-name>
</auth-constraint>
-->
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>scoutgroup</realm-name>
</login-config>
The checking in my web page is as follows (using JSP and taglibs):
<%@ page import="java.sql.*" %>
<%@ taglib uri="http://jakarta.apache.org/taglibs/request-1.0"; prefix="req"
%>
<%@ taglib uri="http://jakarta.apache.org/taglibs/response-1.0"; prefix="rsp"
%>
<% Class.forName("org.gjt.mm.mysql.Driver"); %>
<req:request id="rq"/>
<req:existsHeader name="authorization" value="false">
<%
System.out.println("not logged on");
%>
<rsp:setStatus status="SC_UNAUTHORIZED"/>
<rsp:setHeader name="WWW-Authenticate">"BASIC
realm=\"scoutgroup\""</rsp:setHeader>
<rsp:skipPage/>
</req:existsHeader>
<%
boolean validRole = false;
%>
<req:isUserInRole role="member">
<%
validRole = true;
%>
</req:isUserInRole>
<%
if (!validRole)
{
System.out.println("access is not allowed");
%> <rsp:sendError error="SC_FORBIDDEN"/>
<rsp:skipPage/> <%
}
%>
<HTML>
<HEAD> etc etc
I have built a filter to display headers before and after the web page. The
results follow (note the "not logged on" message written by my web page
checking for the "authorization" header):
Filtering...
accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,
application/vnd.ms-
excel, application/msword, application/vnd.ms-powerpoint,
application/x-shockwav
e-flash, */*
accept-language: en-au
accept-encoding: gzip, deflate
user-agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)
host: localhost:8443
connection: Keep-Alive
accept-language: en-au
accept-encoding: gzip, deflate
Chaining...
not logged on
...chained
accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,
application/vnd.ms-
excel, application/msword, application/vnd.ms-powerpoint,
application/x-shockwav
e-flash, */*
accept-language: en-au
accept-encoding: gzip, deflate
user-agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)
host: localhost:8443
connection: Keep-Alive
accept-language: en-au
accept-encoding: gzip, deflate
...filtered
I never receive a BASIC authentication dialogue box prompting for userid and
password despite setting the "WWW-Authenticate" header.
Please, someone, point me in the right direction and/or tell me where there
is more "how-to" documentation. I find that the Tomcat doc tells me what is
available but doesn't describe how it works or what the effect of making
different choices is.
Murray Nicholas
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
