Ah-ha! Everything I had read so far led me to think I needed to put everything under ROOT. I'm glad you guys pointed that out. It makes sense.
In the meantime, to make things simpler, I set up another "webapp" without any of the SPID stuff I was talking about before. It's very simple and contains nothing more than a login page (login.jsp) and login error page (login_error.html), the "environment" page (environment.jsp) I mentioned before and an error page (error.jsp), specified in the "errorPage" attribute of the "page" directive of the JSP files. The new app. sits in [tomcat]\webapps\Simple_JSP (not under ROOT any more) and the web.xml file in the WEB-INF subdirectory has been set up to use the correct path. I also included the security-role element Frank mentioned below. The <web-app> portion of web.xml looks like this: <web-app xmlns="http://java.sun.com/xml/ns/j2ee"; xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd";> <display-name>Simple JSP</display-name> <description>Simple JSP Test</description> <login-config> <auth-method>FORM</auth-method> <form-login-config> <form-login-page>/Simple_JSP/login.jsp</form-login-page> <form-error-page>/Simple_JSP/login_error.html</form-error-page> </form-login-config> </login-config> <security-role> <description>Security Role</description> <role-name>simple_jsp</role-name> </security-role> <security-constraint> <web-resource-collection> <web-resource-name>Simple JSP Test</web-resource-name> <url-pattern>/Simple_JSP/*</url-pattern> <http-method>GET</http-method> <http-method>POST</http-method> </web-resource-collection> <auth-constraint> <role-name>simple_jsp</role-name> </auth-constraint> </security-constraint> </web-app> Of course, I set up the simple_jsp role in the tomcat-users.xml file and added that role to my user entry. Now that this is all said and done, I'm still getting behavior that I'm not expecting. If I load my "environment" file into the browser (http://localhost/Simple_JSP/environment.jsp), it comes up as though there were no security/authentication mechanism to put up a roadblock. The login page is never presented. I was expecting that if I were to request any page from the Simple_JSP area, that before anything is displayed, I would be prompted to provide and user name and password. Isn't that what's supposed to happen? Thanks, Joe -----Original Message----- From: Frank W. Zammetti [mailto:[EMAIL PROTECTED] Sent: Tuesday, June 14, 2005 6:37 PM To: Tomcat Users List Subject: Re: Help/Examples setting up security settings As Mark indicated in another post, the first problem you need to resolve is how you have installed your webapp. ROOT is itself a webapp, and although it might seem right that you want to put your webapp under it, that isn't the case. Move SPID_JSP to /webapps and you should be all set. One other thing I see is you are missing security role definitions in your web.xml. You'll want to add something like this: <security-role> <description>spid_jsp</description> <role-name>spid_jsp</role-name> </security-role> The role-name element maps to the role you created in tomcat-users.xml, and also maps to the security constraint's role-name element, as you already have. One other thing... the order of elements in web.xml is usually important. I think newer versions of Tomcat allow you to put things in any order you want (as one would expect with XML!), but earlier versions had a more restrictive DTD. You should see an error message when you start Tomcat if this is going to be a problem. Just wanted to warn you about it is you see it later. Frank Gagnon, Joseph M (US SSA) wrote: > OK, now I'm more confused. First some background (for those of you who > haven't seen the entire history). > > 1. I have defined a role and added myself as a user in that role to > the tomcat-users.xml file (in [tomcat install dir]/conf). The role is > defined as "spid_jsp". (SPID is just the name of an existing application > that contains ASP files that I would like to test converting to JSP.) > 2. I have placed a WEB-INF directory under my test application > directory ([tomcat install dir]/webapps/ROOT/SPID_JSP) and put a web.xml > file in it. (SPID_JSP is where the JSP and HTML files reside.) > 3. That web.xml file contains the following: > > <web-app xmlns="http://java.sun.com/xml/ns/j2ee"; > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; > xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee > http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd";> > > <display-name>SPID JSP Test</display-name> > <description>SPID JSP Test</description> > > <login-config> > <auth-method>FORM</auth-method> > <form-login-config> > > <form-login-page>/SPID_JSP/login.jsp</form-login-page> > > <form-error-page>/SPID_JSP/login_error.html</form-error-page> > </form-login-config> > </login-config> > > <security-constraint> > <web-resource-collection> > <web-resource-name>SPID JSP > Test</web-resource-name> > <url-pattern>/SPID_JSP/*</url-pattern> > <http-method>GET</http-method> > <http-method>POST</http-method> > </web-resource-collection> > <auth-constraint> > <role-name>spid_jsp</role-name> > </auth-constraint> > </security-constraint> > > </web-app> > > 4. I have set up login.jsp and login_error.html files (in [tomcat > install dir]/webapps/ROOT/SPID_JSP) to provide a login form and login > error page, respectively. The login.jsp file specifies j_security_check > for the form action and j_username and j_password as the names of the > user name and password fields on the form. > 5. I have another JSP file named environment.jsp that basically > prints out the results from calling various methods available from > implicit objects available (e.g. session, request, etc.). This just > allows me to 1) display something as a JSP page and 2) show me some > information about the environment. > > OK, my understanding (as poor as that is) of this > authentication/security process is that based upon the setup just > described, if I try to access a page in my SPID_JSP area, I should be > presented with the login page. If I provide the correct user > name/password, I should then be "logged in" and be able to see the page > I requested. If not, then I should get the login error page. > > That's not the case for me. If I enter > http://localhost/SPID_JSP/environment.jsp in my browser, one of two > things ends up happening (why two things, rather than just one, I have > no idea, but it's just one more thing on my stack of don't-know-whys). > > 1. I get the standard HTTP 500 message: "This page cannot be > displayed." If I do a reload of the page, my environment "dump" > magically appears (although the page header still shows "HTTP 500 > Internal server error". I can do multiple reloads and the information > appears to be updated each time (i.e. I don't think it's coming out of > cache). Oddly, this only seems to occur when I bring up a fresh browser > and load the page directly for the first time. > 2. If, however, I enter just the application "root" directory (i.e. > http://localhost/SPID_JSP) in the browser, I get a listing of the files > in that directory (The environment.jsp file is listed among them.). If I > click on its link, again I get my environment "dump", except this time, > the page header shows what I expect: "Get Environment Data". > > First, why didn't I get presented with the login page? Isn't that what > was supposed to happen? > > Second, I don't understand the dual behavior observed above. Why should > I get what happens in scenario 1? The file requested exists at the > location specified. What gives? Why does scenario 2 allow me to access > my page as I would expect to? > > Obviously, I don't know diddly-squat about how this technology works and > is meant to be used. Everything I try ends up either a drop dead failure > or confuses me even more than I already was. There does not seem to be > any consistency to the behaviors I've been seeing. If someone asked me > right now whether to recommend using JSP, I'd have to say "No". I can't > even get a simple test scenario to work. > > I'm trying to hold off on buying any books on the subject, because I'm > not sure which ones would be the best to get (although I have some > ideas) and more importantly, because I am trying to evaluate the > technology and the feasibility (not to mention the do-ability) of > potentially converting an existing ASP application to JSP. The books > would be purchased through my department, and I don't want to have a > bunch of books bought that I may end up not using, if the decision ends > up being that we won't go the JSP route. > > I realize that it's difficult for someone reading this to get the full > picture of my situation. I've tried to include all pertinent > information. > > If anyone can help me out, I would sure appreciate it. (Thanks again > Frank Zammetti for the information you've provided so far.) > > Thanks, > Joe Gagnon > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
