> -----Original Message----- > From: Luca Ventura [mailto:[EMAIL PROTECTED]] > Sent: Thursday, October 17, 2002 12:09 AM > To: [EMAIL PROTECTED] > Subject: How can I protect my servlet with a login and a password? > > > Hello everybody! > > I have Apache Tomcat 4.0 as Servlet Engine and I would like to to the > following > thing: when a user tries to connect to my servlet "MyServlet" a window > should appear that ask him to insert a login and a password > before accessing to the servlet. How can I do this? > > Must I change some configuration file in Tomcat? Can I use > the same solution to protect other web resources (for example > the "files" to download)?
1) Set up usernames, passwords, and roles. - Designate a list of users and associated passwords and abstract role(s) such as normal user or administrator. - This is a completely server-specific process. - Simplest Tomcat approach: use $CATALINA_HOME/conf/tomcat-users.xml: <?xml version="1.0" encoding="ISO-8859-1"?> <tomcat-users> <user name="john" password="nhoj" roles="registered-user" /> <user name="jane" password="enaj" roles="registered-user" /> <user name="juan" password="nauj" roles="administrator" /> <user name="juana" password="anauj" roles="administrator,registered-user" /> </tomcat-users> Tell server that you are using form-based authentication. Designate locations of login and login-failure page. - Use the web.xml login-config element with auth-method of FORM and form-login-config with locations of pages. <web-app> ... <login-config> <auth-method>FORM/BASIC</auth-method> <form-login-config> <form-login-page>/login.jsp</form-login-page> <form-error-page>/login-error.html</form-error-page> </form-login-config> </login-config> ...</web-app> 3) Create a login page (HTML or JSP) - HTML form with ACTION of j_security_check, METHOD of POST, textfield named j_username,and password field named j_password. <FORM ACTION="j_security_check" METHOD="POST"> ... <INPUT TYPE="TEXT" NAME="j_username"> ... <INPUT TYPE="PASSWORD" NAME="j_password"> ... </FORM> - For the username, you can use a list box, combo box, or set of radio buttons instead of a textfield. 4)Specify URLs to be password protected. - Use security-constraint element of web.xml. This element uses web-resource-collection and auth-constraint subelements. The first (web-resource-collection) designates URL patterns to which access should be restricted; the second (auth-constraint) specifies abstract roles that should have access to resources at the given URLs. <web-app>... <security-constraint> <web-resource-collection> <web-resource-name>Sensitive</web-resource-name> <url-pattern>/sensitive/*</url-pattern> </web-resource-collection> <auth-constraint> <role-name>administrator</role-name> <role-name>executive</role-name> </auth-constraint> </security-constraint> <login-config>...</login-config>... </web-app> > Thanks a lot in advance! Hope that solves ur problem. > > Luca Vikram. > > ______________________________________________________________ > _____________ > To unsubscribe, send email to [EMAIL PROTECTED] and > include in the body > of the message "signoff SERVLET-INTEREST". > > Archives: http://archives.java.sun.com/archives/servlet-interest.html > Resources: > http://java.sun.com/products/servlet/external-resources.html > LISTSERV Help: http://www.lsoft.com/manuals/user/user.html > Disclaimer: This e-mail message along with any attachments is intended only for the addressee and may contain confidential and privileged information of GTL Limited. If the reader of this message is not the intended recipient, you are notified that any dissemination, distribution or copy of this communication is strictly prohibited. If you have received this message by error, please notify us immediately, return the original mail to the sender and delete the message from your system. ___________________________________________________________________________ To unsubscribe, send email to [EMAIL PROTECTED] and include in the body of the message "signoff SERVLET-INTEREST". Archives: http://archives.java.sun.com/archives/servlet-interest.html Resources: http://java.sun.com/products/servlet/external-resources.html LISTSERV Help: http://www.lsoft.com/manuals/user/user.html
