Authentification with Tomcat

MichelLSZ
MichelLSZ used Ask the Experts™
on
What I want to achieve:

I have an application on Tomcat that you can only access with a Username and
Password. No problem I think. But there is something else I want to have.
There are two special files that you can only acces by another special
Username and Password.
So if you acces the application you type in the normal Username and
Password. But if you want to access the two special file you have to be
asked to type in the special Username and Password.

At the end you can see a part of my "web.xml". It isn't working right. Once
you have typed in the normal UN and PWD, you are not asked again in the
special area. What am I doing wrong? Can anybody help?

parts of "web.xml"
[...]
        <security-constraint>
            <web-resource-collection>
                <web-resource-name>patchdesk</web-resource-name>
                <url-pattern>/*</url-pattern>
            </web-resource-collection>
            <auth-constraint>
                <role-name>TI</role-name>
            </auth-constraint>
        </security-constraint>
        <security-constraint>
            <web-resource-collection>
                <web-resource-name>patchdesk</web-resource-name>
                <url-pattern>/servlets/ChangeOptions</url-pattern>
                <url-pattern>/jsp/changeoptions.jsp</url-pattern>
            </web-resource-collection>
            <auth-constraint>
                <role-name>tiadmin</role-name>
            </auth-constraint>
        </security-constraint>
        <login-config>
            <auth-method>BASIC</auth-method>
            <realm-name>Patchdesk</realm-name>
        </login-config>
[...]


Michel

Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
you did nothing wrong and this behavior is by design.

the user must logout and login as another user which have access to more strict page.

in practical, double login will make security system over complicated and eventually lost control. it is also not necessary in most of real world use case.

Author

Commented:
Thanks for your answer!

mmmhhh... what a pity. OK, so I have to find a solution with the given behavior.

You said:
"the user must logout and login as another user which have access to more strict page."

But how can an user explicitly log out??

regards
Michel
you can provide a logout button, like most website do.

when user click logout button, you servlet/jsp which response to this request should do:

session.invalidate();

(not too sure about exact method name, but you can easily find it out from api doc :-)
Become a CompTIA Certified Healthcare IT Tech

This course will help prep you to earn the CompTIA Healthcare IT Technician certification showing that you have the knowledge and skills needed to succeed in installing, managing, and troubleshooting IT systems in medical and clinical settings.

Author

Commented:
Hallo kennethxu,

I deciced to manage the special authentification in the servlet. The general authentification to get access to the whole application is still managed by Tomcat.

Michel

P.S.:
To end the session with session.invalidate() isn't working. You are not asked again for authentification after session.invalidate().

Author

Commented:
BTW:

Are sessions automatically destroyed when they are not in use anymore. For example when you are closing your browser?
>>session.invalidate() isn't working
strange, i'll give it a try when I got home, so have access to a tomcat server.

you must define session timeout in you web.xml, after use close browser or idle tiem passes timeout, the session will be destroyed.

Commented:
No comment has been added lately, so it's time to clean up this TA.
I will leave a recommendation in the Cleanup topic area that this question is:

Accept  kennethxu's comment as answer.

Please leave any comments here within the next seven days.

PLEASE DO NOT ACCEPT THIS COMMENT AS AN ANSWER!

krispols
EE Cleanup Volunteer

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial