I apologize for mailing this to the development list, but I have
scoured the web and e-mailed the user list numerous times with no answers. I
don't know if this is a bug, or how to resolve this issue. Please read my
question below:
So I found that I can access my servlet if I don't use the
RequestDispatcher .forward method. In other words, when I try and access my
page (e.g.: http://localhost:8080/dev/servlet/ProtectedPage) I get a login
JSP form that I specified. When I login successfully,the login page
reappears when, in my ProtectedPage servlet, I use the RequestDispatcher
.forward method instead of using a PrintWriter to send back the response.
Why can I not use the RequestDispatcher, if I can, how???
I am using Tomcat 4.0.4 on Windows connecting to an Oracle 8i database for
usernames, passwords and roles.
Below is some code.
Web.xml
<security-constraint>
<display-name>Example Security Constraint</display-name>
<web-resource-collection>
<web-resource-name>Protected Area</web-resource-name>
<!-- Define the context-relative URL(s) to be protected -->
<url-pattern>/servlet/*</url-pattern>
<url-pattern>/jsp/security/*</url-pattern>
<!-- If you list http methods, only those methods are protected -->
<http-method>DELETE</http-method>
<http-method>GET</http-method>
<http-method>POST</http-method>
<http-method>PUT</http-method>
</web-resource-collection>
<auth-constraint>
<!-- Anyone with one of the listed roles may access this area -->
<role-name>user</role-name>
<role-name>tomcat</role-name>
</auth-constraint>
</security-constraint>
<!-- Default login configuration uses form-based authentication -->
<login-config>
<auth-method>FORM</auth-method>
<realm-name>Example Form-Based Authentication Area</realm-name>
<form-login-config>
<form-login-page>/jsp/security/login.jsp</form-login-page>
<form-error-page>/jsp/security/error.jsp</form-error-page>
</form-login-config>
</login-config>
ProtectedPage.java
public class ProtectedPage extends HttpServlet {
// Default constructor
public ProtectedPage() {
super();
}
public void doGet(HttpServletRequest request, HttpServletResponse response)
{
performTask(request, response);
}
public void doPost(HttpServletRequest request, HttpServletResponse
response) {
performTask(request, response);
}
public void performTask(HttpServletRequest request, HttpServletResponse
response) {
try {
String jspPage = "index.jsp";
RequestDispatcher rd =
getServletContext().getRequestDispatcher("/jsp/security/" + jspPage);
rd.forward(request, response);
}
catch(Exception e) {
e.printStackTrace();
}
}
}
index.jsp
<html>
<head>
<title>Protected Page for Examples</title>
</head>
<body bgcolor="white">
You are logged in as remote user <b><%= request.getRemoteUser() %></b>
in session <b><%= session.getId() %></b><br><br>
<%
if (request.getUserPrincipal() != null) {
%>
Your user principal name is
<b><%= request.getUserPrincipal().getName() %></b><br><br>
<%
} else {
%>
No user principal could be identified.<br><br>
<%
}
%>
<%
String role = request.getParameter("role");
if (role == null)
role = "";
if (role.length() > 0) {
if (request.isUserInRole(role)) {
%>
You have been granted role <b><%= role %></b><br><br>
<%
} else {
%>
You have <i>not</i> been granted role <b><%= role %></b><br><br>
<%
}
}
%>
</body>
</html>
Kevin Andryc
Web Systems Engineer
MISER
http://www.umass.edu/miser/
Phone: (413)-545-3460
[EMAIL PROTECTED]
--
To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
