given a Servlet HelloServlet:
@WebServlet("/HelloServlet")
public class HelloServlet extends HttpServlet {
private static final long serialVersionUID = 1L;
/**
* Default constructor.
*/
public HelloServlet() {
// TODO Auto-generated constructor stub
}
@Override
protected void doGet(HttpServletRequest request,
HttpServletResponse response) throws ServletException, IOException {
// TODO Auto-generated method stub
System.out.print("hello my Friend: " + request.getRemoteUser());
response.setContentType("text/html");
PrintWriter out = response.getWriter();
out.println("This is the Test Servlet");
Enumeration headerNames = request.getHeaderNames();
while (headerNames.hasMoreElements()) {
String headerName = (String) headerNames.nextElement();
out.print("<br/>Header Name: <em>" + headerName);
String headerValue = request.getHeader(headerName);
out.print("</em>, Header Value: <em>" + headerValue);
out.println("</em>");
}
}
....
}
with a declared tomcat security policy in web.xml:
<security-constraint>
<web-resource-collection>
<web-resource-name>my application</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>tomcat</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/login.jsp</form-login-page>
<form-error-page>/login-failed.jsp</form-error-page>
</form-login-config>
</login-config>
and tomcat-roles definitions in conf/tomcat-users.xml
<role rolename="tomcat"/>
<role rolename="role1"/>
<user username="tomcat" password="tomcat" roles="tomcat"/>
<user username="both" password="tomcat" roles="tomcat,role1"/>
<user username="role1" password="tomcat" roles="role1"/>
the realm in "server.xml" is:
<Realm className="org.apache.catalina.realm.LockOutRealm">
<!-- This Realm uses the UserDatabase configured in the global JNDI
resources under the key "UserDatabase". Any edits
that are performed against this UserDatabase are immediately
available for use by the Realm. -->
<Realm className="org.apache.catalina.realm.UserDatabaseRealm"
resourceName="UserDatabase"/>
</Realm>
,I tried to access the Servlet "HelloServlet" with url localhost/jsfWorkgroup/HelloServlet.
like expected, I am (re)directed to the login-page:
<form method="POST" action="j_security_check">
<table>
<tr>
<td colspan="2">Login to the Tomcat-Demo application:</td>
</tr>
<tr>
<td>Name:</td>
<td><input type="text" name="j_username" /></td>
</tr>
<tr>
<td>Password:</td>
<td><input type="password" name="j_password"/ ></td>
</tr>
<tr>
<td colspan="2"><input type="submit" value="Go" /></td>
</tr>
</table>
</form>
No matter which id-Token I used:
I still come to the failure /login-failed.jsp.
here is my take on this: tomcat acts on redirect me to the to login page, but does not read the conf/tomcat-users.xml to valid my login(even after several reboots).
what do you think about it ?
configuration: Tomcat 7.0.23, Eclipse-Indigo
following to proposition of @pd40 I tried the examples/jsp/security/protected/ examples but not in the Eclipse IDE where Tomcat is usually embedded along with the other servers (Glassfish, JBoss, ect..) , rather I started the tomcat server as standalone (in its /bin directory) .. and there it works.
but when it's attemped to run security based Web-application in Tomcat within Eclipse, it failed again, even using the configuration described above.
I don't know if I am right but Web-Application Security is only supported when tomcat runs outside of eclipse..