Web Application Security:
Step 1: Add an
entry in web.xml
Add an entry for <security-constraint> in web.xml
as shown in Table 1
Table 1
|
<security-constraint>
<web-resource-collection>
<web-resource-name>Generic</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>Protected</web-resource-name>
<description>Protected
Resources</description>
<url-pattern>/protected/*</url-pattern>
<http-method>POST</http-method>
<http-method>GET</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>admin</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/login.html</form-login-page>
<form-error-page>/loginfail.html</form-error-page>
</form-login-config>
</login-config>
<security-role>
<role-name>admin</role-name>
</security-role>
|
Step 2: Create an
html/jsp file for login form
Now we need to create a
file/form that we want to use for accepting user credentials (id and password).
So create a simple html file as shown in Table 2.
Table 2
|
<!DOCTYPE html PUBLIC
"-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta
http-equiv="Content-Type" content="text/html;
charset=ISO-8859-1">
<title>Sample Application:
Login</title>
</head>
<body>
<form
action="j_security_check" method="POST">
<table>
<tr>
<td>User
Name</td>
<td><input
id="j_username" name="j_username"></td>
</tr>
<tr>
<td>Password</td>
<td>
<input
id="j_password" name="j_password" type="password">
</td>
</tr>
<tr>
<td
colspan="2"><input type="submit" value="Login"></td>
</tr>
</table>
</form>
</body>
</html>
|
Also we need to create a file
where application will be routed if login fails. So create an error html as
shown in Table 3.
|
<!DOCTYPE html PUBLIC
"-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta
http-equiv="Content-Type" content="text/html;
charset=ISO-8859-1">
<title>Sample Application: Login
Failed</title>
</head>
<body>
<span
style="color:red">Login Failed</span>
</body>
</html>
|
Also create one index.html as a home page and one html (protected.html in
folder protected inside Web application root) Now deploy this application/war
on your Application Server.
Step 3: Try to
access non protected resource
Hit the url http://localhost:7001/SampleApp/
it will show the home page as show in Figure 1
Figure 1
So resource at above mentioned location is successfully
accessed.
Step 4: Try to
access protected resource
Now if we try to access web resource (i.e http://localhost:7001/SampleApp/protected/protected.html)
which we have protected by adding following lines in web.xml
|
<security-constraint>
<web-resource-collection>
<web-resource-name>Protected</web-resource-name>
<description>Protected
Resources</description>
<url-pattern>/protected/*</url-pattern>
<http-method>POST</http-method>
<http-method>GET</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>admin</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
|
It will first ask for credentials as shown in Figure 2
Figure 2
If credentials are not proper then it will show file
configured in form-error-page as shown in Figure 3.
Figure 3
If login is successful then requested resource will be
displayed as shown in Figure 4
Figure 4
