MichelLSZ
asked on
Authentification with Tomcat
What I want to achieve:
I have an application on Tomcat that you can only access with a Username and
Password. No problem I think. But there is something else I want to have.
There are two special files that you can only acces by another special
Username and Password.
So if you acces the application you type in the normal Username and
Password. But if you want to access the two special file you have to be
asked to type in the special Username and Password.
At the end you can see a part of my "web.xml". It isn't working right. Once
you have typed in the normal UN and PWD, you are not asked again in the
special area. What am I doing wrong? Can anybody help?
parts of "web.xml"
[...]
<security-constraint>
<web-resource-collection>
<web-resource-name>patchde
<url-pattern>/*</url-patte
</web-resource-collection>
<auth-constraint>
<role-name>TI</role-name>
</auth-constraint>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>patchde
<url-pattern>/servlets/Cha
<url-pattern>/jsp/changeop
</web-resource-collection>
<auth-constraint>
<role-name>tiadmin</role-n
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-m
<realm-name>Patchdesk</rea
</login-config>
[...]
Michel
I have an application on Tomcat that you can only access with a Username and
Password. No problem I think. But there is something else I want to have.
There are two special files that you can only acces by another special
Username and Password.
So if you acces the application you type in the normal Username and
Password. But if you want to access the two special file you have to be
asked to type in the special Username and Password.
At the end you can see a part of my "web.xml". It isn't working right. Once
you have typed in the normal UN and PWD, you are not asked again in the
special area. What am I doing wrong? Can anybody help?
parts of "web.xml"
[...]
<security-constraint>
<web-resource-collection>
<web-resource-name>patchde
<url-pattern>/*</url-patte
</web-resource-collection>
<auth-constraint>
<role-name>TI</role-name>
</auth-constraint>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>patchde
<url-pattern>/servlets/Cha
<url-pattern>/jsp/changeop
</web-resource-collection>
<auth-constraint>
<role-name>tiadmin</role-n
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-m
<realm-name>Patchdesk</rea
</login-config>
[...]
Michel
ASKER
Thanks for your answer!
mmmhhh... what a pity. OK, so I have to find a solution with the given behavior.
You said:
"the user must logout and login as another user which have access to more strict page."
But how can an user explicitly log out??
regards
Michel
mmmhhh... what a pity. OK, so I have to find a solution with the given behavior.
You said:
"the user must logout and login as another user which have access to more strict page."
But how can an user explicitly log out??
regards
Michel
you can provide a logout button, like most website do.
when user click logout button, you servlet/jsp which response to this request should do:
session.invalidate();
(not too sure about exact method name, but you can easily find it out from api doc :-)
when user click logout button, you servlet/jsp which response to this request should do:
session.invalidate();
(not too sure about exact method name, but you can easily find it out from api doc :-)
ASKER
Hallo kennethxu,
I deciced to manage the special authentification in the servlet. The general authentification to get access to the whole application is still managed by Tomcat.
Michel
P.S.:
To end the session with session.invalidate() isn't working. You are not asked again for authentification after session.invalidate().
I deciced to manage the special authentification in the servlet. The general authentification to get access to the whole application is still managed by Tomcat.
Michel
P.S.:
To end the session with session.invalidate() isn't working. You are not asked again for authentification after session.invalidate().
ASKER
BTW:
Are sessions automatically destroyed when they are not in use anymore. For example when you are closing your browser?
Are sessions automatically destroyed when they are not in use anymore. For example when you are closing your browser?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
No comment has been added lately, so it's time to clean up this TA.
I will leave a recommendation in the Cleanup topic area that this question is:
Accept kennethxu's comment as answer.
Please leave any comments here within the next seven days.
PLEASE DO NOT ACCEPT THIS COMMENT AS AN ANSWER!
krispols
EE Cleanup Volunteer
I will leave a recommendation in the Cleanup topic area that this question is:
Accept kennethxu's comment as answer.
Please leave any comments here within the next seven days.
PLEASE DO NOT ACCEPT THIS COMMENT AS AN ANSWER!
krispols
EE Cleanup Volunteer
the user must logout and login as another user which have access to more strict page.
in practical, double login will make security system over complicated and eventually lost control. it is also not necessary in most of real world use case.