Hello,
I try to secure my wicket appication with container based authentication.
The problem is, that all users can log also if they don't have the right
role.

In my login.html I use following form action:
                  <form action="login/j_security_check" method="post">

If I change the security-constraint - url-pattern from "/login" to "/*",
the security check works, but I don't get any page displayed
(images/leer.gif not found).
 Also the login page doesn't render complete because all images are
blocked.

It would be nice if their is an example for the correct use of the
container based authentication. The often statet example in

http://cwiki.apache.org/WICKET/servlet-container-authentication.html

doesn't work!!!!!



The configuration for Apache Tomcat 6.xx:

<?xml version="1.0" encoding="UTF-8"?>
<>tomcat-users>
  <role rolename="MyWeb"/>
  <role rolename="manager"/>
  <role rolename="admin"/>
  <role rolename="TheirWeb"/>
  <user username="zorro" password="zorro" roles="MyWeb"/>
  <user username="Pete" password="Pete" roles="TheirWeb"/>
  <user username="Pete1" password="Pete1" roles="MyWeb"/>
  <user username="admin" password="admin" roles="admin,manager"/>
</tomcat-users>


The deployment descriptor:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE web-app PUBLIC
      "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN"
      "http://java.sun.com/dtd/web-app_2_3.dtd";>

<web-app id="MyWeb">
      <display-name.>MyWeb</display-name.>
      <servlet>
            <servlet-name.>wicket.wicket</servlet-name>
            <servlet-class>org.apache.wicket.protocol.http.WicketServlet</
servlet-class>
            <init-param>
                  <param-name>applicationClassName</param-name>
                  <param-value>
com.csc.pts.aar.web.application.AarWebApplication.</param-value.>
            </init-param>
            <load-on-startup.>1</load-on-startup.>
      </servlet>
      <servlet-mapping.>
            <servlet-name>wicket.wicket</servlet-name>
            <url-pattern>/*</url-pattern>
      </servlet-mapping.>

      <security-constraint.>
            <web-resource-collection>
                  <web-resource-name>MyWeb</web-resource-name>
                  <url-pattern>/login</url-pattern>
                  <http-method>GET</http-method>
                  <http-method>POST</http-method>
            </web-resource-collection>
            <auth-constraint>
                  <role-name>MyWeb</role-name>
            </auth-constraint>
      </security-constraint>

      <login-config>
        <auth-method>FORM</auth-method>
            <form-login-config>
             <form-login-page>/login</form-login-page>
             <form-error-page>/loginerror</form-error-page>
            </form-login-config>
      </login-config>

      <security-role>
        <description>
          The role that is required to log in to the Manager Application
        </description>
        <role-name>MyWeb</role-name>
      </security-role>

</web-app>

The login.html:
<body onload="initForm()">
      <div class="LoginBackground">
      <div class="LoginBoxDB">
      <table border="0" cellpadding="0" cellspacing="0">
            <tr>
                  <td>
                  <form action="j_security_check" method="post">
                        <table class="LoginNavi" border="0" cellpadding="0"
cellspacing="2">
                              <tr>
                                    <td><span class="LoginNaviItem">
Username:</span></td>
                                    <td><input id="userName" name=
"j_username" value="" size="23" tabindex="1" /></td>
                                    <td><img src="images/leer.gif" height=
"20" width="18" /></td>
                              </tr>
                              <tr>
                                    <td><span class="LoginNaviItem">
Password:</span></td>
                                    <td><input type="password" name=
"j_password" value="" size="25" tabindex="2" /></td>
                                    <td><img src="images/leer.gif" height=
"20" width="18" /></td>
                              </tr>
                              <tr>
                                    <td><img src="images/leer.gif" height=
"0" width="1" /></td>
                                    <td><input type="submit" value="Login"
class="buttonStandard"/></td>
                                    <td><img src="images/leer.gif" height=
"20" width="18" /></td>
                              </tr>
                        </table>
                  </form>
                  </td>
            </tr>
      </table>
      </div>
      </div>
</body>
</html>


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
For additional commands, e-mail: users-h...@wicket.apache.org

Reply via email to