Howto protect a webapp with a form quick and dirty

Thu, 26 Jun 2003 17:44:43 -0700 

Keywords: auth form basic howto webapp security AuthType mod_auth

I spent a bunch of time trying to get apache to do this with
mod_auth/mod_jk in httpd.conf and couldn't. Also spent a bunch of time
trying to get BASIC auth working for a webapp with tomcat running behind
apache jkmounts and couldn't. apache 2, tomcat 4.1.24. So I fall back to
FORM. This is merely to get a simple webapp protected. Nothing fancy.

Some day someone will google this up and thank me :)

Here's a quick and dirty how to:

1. Install tomcat
2. Edit conf/server.xml
3. Make sure <Resource name="UserDatabase... is not commented out
4. Make sure <Realm
className="org.apache.catalina.realm.UserDatabaseRealm"... is not
commented out.
5. Edit conf/tomcat-users.xml
6. Add <role rolename="theking"/>
7. Add <user username="dumbuser" password="guessme" roles="theking" />
8. Add the following to your webapp's web.xml file (in proper order,
before env-entry)

<security-constraint>
  <web-resource-collection>
    <web-resource-name>Test Admin</web-resource-name> 
    <url-pattern>/*</url-pattern> 
  </web-resource-collection>
  <auth-constraint>
    <role-name>theking</role-name> 
  </auth-constraint>
</security-constraint>

<login-config>
  <auth-method>FORM</auth-method> 
  <realm-name>My test realm</realm-name> 
  <form-login-config>
    <form-login-page>/login.jsp</form-login-page> 
    <form-error-page>/login.jsp</form-error-page> 
  </form-login-config>
</login-config>

<security-role>
  <role-name>theking</role-name> 
</security-role>

9. Put this login.jsp at the top of your webapp...

<html lang="en">
<head>
  <title>Login</title>
</head>
<body>

<form method="POST" action='j_security_check'
 name="loginForm">
        <input type="text" name="j_username" size="16"
maxlength="16"/><br>
        <input type="password" name="j_password" size="16"
maxlength="16"/><br>
        <input type="submit" value='Login'/><br>
        <input type="reset" value='Reset'/><br>
</form>
</body>
</html>

10. Reboot the world
11. You should get a login form when you hit the webapp. Type in
dumbuser/guessme and you should feel like theking when the app comes up.





---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to