Tuesday 29 September 2015

Setting form based authentication in tomcat

In previous post, I explained ‘Setting role basedsecurity in tomcat‘, in this post, I am going to explain, how to configure form based authentication.

This is continuous to my previous post, to get better understanding I recommend you to first read previous article.

Step 1: First we need to create two pages login.jsp, login-error.jsp. Whenever user tries to access secured resource we forward the request to login page, if user credentials are wrong then login-error.jsp file will be displayed. If user provides correct credentials, then he will get access to secure resource.

Create login folder and add login.jsp, login-error.jso files


login.jsp
<%@ page language="java" contentType="text/html; charset=UTF-8"
 pageEncoding="UTF-8"%>
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<title>login</title>

</head>
<body>
 <h1>Please login</h1>

 <p>The page you have selected requires that you login to proceed.</p>

 <form action="j_security_check" method="post" name="loginForm">
  User name: <input id="user" type="text" name="j_username" size="20"> 
  Password: <input id="password" type="password" name="j_password" size="20">
  <input type="submit" value="Login">
 </form>
</body>
</html>

Make sure action name is ‘j_security_check’, user name is ‘j_username’ and password name is ‘j_password’.

login-error.jsp
<%@ page language="java" contentType="text/html; charset=UTF-8"
 pageEncoding="UTF-8"%>
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Insert title here</title>
</head>
<body>
 <h1>Credentials are wrong</h1>
</body>
</html>


Step 2: Now update web.xml, by specifying form based authentication details.

<login-config>
 <auth-method>FORM</auth-method>
 <form-login-config>
  <form-login-page>/login/login.jsp</form-login-page>
  <form-error-page>/login/login-error.jsp</form-error-page>
 </form-login-config>
</login-config>


Remaining all configurations is same (Remove BASIC authentication scheme that we used in previous post).

Following is the complete web.xml file.

<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
 xmlns="http://java.sun.com/xml/ns/javaee"
 xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
 id="WebApp_ID" version="3.0">
 <display-name>secure_app</display-name>
 <welcome-file-list>
  <welcome-file>index.html</welcome-file>
  <welcome-file>index.htm</welcome-file>
  <welcome-file>index.jsp</welcome-file>
  <welcome-file>default.html</welcome-file>
  <welcome-file>default.htm</welcome-file>
  <welcome-file>default.jsp</welcome-file>
 </welcome-file-list>

 <security-role>
  <role-name>admin</role-name>
 </security-role>

 <security-constraint>
  <web-resource-collection>
   <web-resource-name>management pages</web-resource-name>
   <url-pattern>/secure/*</url-pattern>
  </web-resource-collection>
  <auth-constraint>
   <role-name>admin</role-name>
  </auth-constraint>
 </security-constraint>

 <login-config>
  <auth-method>FORM</auth-method>
  <form-login-config>
   <form-login-page>/login/login.jsp</form-login-page>
   <form-error-page>/login/login-error.jsp</form-error-page>
  </form-login-config>
 </login-config>
</web-app>


Run the application on server and try to access secure resource, it redirects you to the login page.
 
If you provide wrong credentials, it redirects you to the login-error page.


If you provide correct credentials, it redirects you to the secured resource that you are trying to access.

Following is the complete project structure in eclipse.





Previous                                                 Next                                                 Home

No comments:

Post a Comment