I have experience programming Java Applications but never any Web Apps so xml is relatively new to me. I've learned quite a bit in my research but I'm currently stumped and hopefully you all can help me out.
Context: The company I work for hired a contractor to develop software for inventory. The developer chose to create a web app on the company's intranet (not connected to Internet at all). Several months and a handful of revisions down the road, the developer quit working on the project for unknown reasons (to me, at least). So here I am using a .war file to reverse engineer and then finish the project!
I've configured Tomcat and MS SQL Server and all connections are good according to Netbeans. I can deploy the app but here is where I get stuck. The index.jsp contains a login.jsp. Looking at the code for these pages has me confused.
As best I can tell, the developer was going for Form Based Authentication so that user roles are determined at login. I don't understand how this code redirects to any page at all, much less does anything:
<form method="POST" action='<%= response.encodeURL("j_security_check") %>' >
<table border="0" cellspacing="5">
<tr>
<td>
Username:<br>
<input type="text" name="j_username" style="width: 200px;">
</td>
</tr>
<tr>
<td>
Password:<br>
<input type="password" name="j_password" style="width: 200px;">
</td>
</tr>
<tr>
<td><br></br><input type="submit" value="Log In" class="buttonStyle"> <input type="reset" class="buttonStyle"></td>
</tr>
</table>
</form>
Specifically, what tells the app that a login is good or bad? What handles the events when the buttons are clicked?
I appreciate your patience and help!
Take a read through the Java Servlet Specification, specifically section 13.6.3. Reading a spec sounds scary, but the Java Servlet Spec is one of the most readable I've ever read: it's meant to be read by programmers and not by lawyers.
The quick summary is that when a user tries to access a protected page (and haven't yet authenticated), they are presented with the login page. The "submit" button posts the username and password to the servlet container (Tomcat) which performs the authentication (checks the username/password) and either goes back to the login page (if the username/password were incorrect) or redirects the user back to the protected page they originally requested.
There's some stuff going on here that isn't obvious because the container (Tomcat) is handling it for you. Reading the spec -- the whole thing, actually -- will give you great insight into how everything works and will make you much better prepared to babysit this code you've inherited.
Update 2014-10-22 13:45 EDT
To determine the type of authentication that is being performed, you need to look for a <Realm> element in your web applications' META-INF/context.xml file, or in Tomcat's conf/server.xml, nested inside your web application's <Context> element. It will indicate the type of realm being used (usually "Memory" which is for conf/tomcat-users.xml, or DataSource/JDBC which indicate that the authentication information is in a relational database, etc.).
None of the "realm" stuff is covered by the spec. For that, you'll have to refer to the Tomcat documentation, or join the Tomcat users' list and the community in general.