login or application entry

smielke · August 12, 2003, 2:34am

X-Application Version: 4.1.1, 3.1.3
Tamino Version : 4.1.1, 3.1
Platform : Win2k, WinXP, Solaris, Linux, …
WebContainer : Tamocat 4.1.1, Tomcat 3.3.1
JDK Version : 1.4.1, 1.3.1

I want my app to only be available via login page. So webusers can use the search page in a normal fashion, but only powerusers would be able to view pages such as create, delete and modify.

What can I do?

Jan_Harmsen · August 12, 2003, 12:31pm

Hi,

there are several ways how to achieve protection for certain pages of your webapp:

For example you can use the security mechanism of web.xml to protect certain pages, e.g.

 <security-constraint>
    <web-resource-collection>
      <web-resource-name>your page</web-resource-name>
      <url-pattern>/create.jsp</url-pattern>
      <http-method>GET</http-method>
      <http-method>HEAD</http-method>
      <http-method>POST</http-method>
    </web-resource-collection>
    <auth-constraint>
      <role-name>registeredUsers</role-name>
      <role-name>Administrators</role-name>
    </auth-constraint>
  </security-constraint>
  </pre><BR>this requires furthermore the reference to a realm in web.xml<BR> <pre class="ip-ubbcode-code-pre"> 
 <login-config>
    <auth-method>BASIC</auth-method>
    <realm-name>X-Application</realm-name>
  </login-config>

and the definition of this realm in server.xml so that the server knows where to authenticate the users against. As there are several kinds of realms (LDAP, OS, Database) have a look at the tomcat configuration, there are examples for different scenarios.

At application level you could use a login mechanism to establish a session. Once the user is logged in and the session is established, you store e.g. an attribute isLoggedIn. At the top of each jsp you can now control access by controlling that this attribute is set and redirecting or forwarding to another page if the attribute is not set (=user is not logged in).
Depending on what exactly you want to achieve this requires more or less coding. The Real Estate Demo in the Tamino Demo Zone uses this mechanism for example.
You could use the controller servlet of a Model-View-Controller framework like e.g. Struts to do this job.

As you see there are several possibilites, the quickest solution is the first mentioned, though this solution is not a solution at application level, i.e. security depends on the deployer and your application logic does not know anything about it.

Best regards,

Jan Harmsen
Software Engineer
Software AG

smielke · August 22, 2003, 11:50pm

Thank you…thank you…thank you! That worked great!