JSP Login page suggestion

Hi there,
I made a webpage where in the index.jsp there are also two field to get authenticated. I use the authentication based on FORM with JDBCRealm. Now it's clear for me that I cannot go directly to login page to login coz if not I got the message "Invalid direct reference to form login page".

Now since Im new on this kind of stuff, and basically I don't want to change my index.jsp main page, what is the best solution to adopt, in order to keep the index.jsp the main page and the one that the user can loging (as for EE website)?

Thnx in advance
Roberto

gokyo66Asked:
Who is Participating?
 
mrcoffee365Connect With a Mentor Commented:
Great -- that's much more information, and explains what the problem is.

First, a minor point  -- isn't your error page in the /jsp directory as well?  You have
/jsp/login/login.jsp
for login and
/error.jsp
for error.   Your error.jsp page should be almost identical to login.jsp, but with the error message displayed with it that says "wrong user name and password."

Second -- putting a login form on a page that is not protected by Tomcat means that you have to understand more about the form-based login behavior of Tomcat.  You have to write some extra application code, which if you look at the experts-exchange site, they have.

The typical way to write this for Tomcat is to create a jsp or servlet which receives the username and password, puts the requested url and username and password in session attributes (or parameters on the url), then redirects to a protected page.

By forwarding to a protected page, you're invoking Tomcat's form-based login, which is what you want.

However, it sounds as if you want to log the user in, but not necessarily send them to a protected page.  If that's the case, then create a protected page, and all it does is redirect where you want the user to go.  Either it's the home page again, or some special landing page for logged in users -- whatever works best for your webapp.

0
 
Gibu GeorgeChief Technology OfficerCommented:
add this in your web.xml


FORM
web-console
<form-login-config>
<form-login-page>/index.jsp</form-login-page>
<form-error-page>/index.jsp?error=yes</form-error-page>
</form-login-config>
0
 
Gibu GeorgeChief Technology OfficerCommented:
this also


CSF
/*


Administrator
user

0
Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

 
mrcoffee365Commented:
The way it works is that you specify that index.jsp is protected by a security role, and Tomcat requires the user to login using your specified login page.  This is done in your webapp's web.xml (which is in your ROOT/WEB-INF directory).

For example:

      <security-constraint>
        <display-name>Main Security Constraint</display-name>
        <web-resource-collection>
             <web-resource-name>Main Area</web-resource-name>
             <url-pattern>/index.jsp</url-pattern>
             <http-method>GET</http-method>
             <http-method>POST</http-method>
        </web-resource-collection>
        <auth-constraint>
            <role-name>Member</role-name>
        </auth-constraint>
      </security-constraint>

      <login-config>
        <auth-method>FORM</auth-method>
        <realm-name>Example Form-Based Authentication Area</realm-name>
        <form-login-config>
            <form-login-page>/pathtoyour/login.jsp</form-login-page>
            <form-error-page>pathtoyour/error.jsp</form-error-page>
        </form-login-config>
      </login-config>

      <security-role>
            <description>The role that is required to log in to Main Area
            </description>
            <role-name>Member</role-name>
      </security-role>
0
 
gokyo66Author Commented:
Thnx guy for the support. Im referring to the mrcofee365 answer.

Actually is what I did, but works half a way. If I enter in the index.jsp the credential it works, I can navigate to all the restricted areas, but if I tried to get access to a restricted area before inserting the credentials the index.jsp page is shown but there is not all the layout stuff related to (css) or image anything of that kind...
0
 
mrcoffee365Commented:
Then you've mis-specified something.  With the correct specification, you will not be able to see index.jsp at all unless you're logged in.

You'll probably need to post your web.xml, the file location of your index.jsp and .css files to start.  You might not have the url pattern for your index.jsp file right.
0
 
Gibu GeorgeChief Technology OfficerCommented:

<security-constraint>
<web-resource-collection>
<web-resource-name>unchecked access</web-resource-name>
<url-pattern>/css/*.css</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>

this will exclude all the css in the css folder to have unchecked access
0
 
gokyo66Author Commented:
Sorry but I don't get this:
"With the correct specification, you will not be able to see index.jsp at all unless you're logged in"

Actually the index.jsp is the page where there are the field used to login, how come that I should'nt see the index.jsp.


For gibu george
--------------------
I did as you suggested me, but in this case when I open the first time my web page all the css are disabled
0
 
Gibu GeorgeChief Technology OfficerCommented:
> when I open the first time

What do you mean by this? On refresh is it working or on login?
0
 
gokyo66Author Commented:
"When I open the first time" means when the first time I open the webbrowser and I insert localhost:8080/myapp. The difference from before is that before when I open it I see everything in a properly way is just after I try to access a protected web page that redirect to the main page and is no more with css
0
 
mrcoffee365Commented:
As I mentioned previously, post your web.xml and the directory structure with your index.jsp.  You've specified something incorrectly, because you should not be able to get to index.jsp if you've said that it's a protected resource.

You asked what that means:
If a url is protected by login, the user cannot see the url until the user has logged in.  So if you correctly specified the security constraint in your web.xml, then users should not be able to see the page at all until they have logged in.  They'll see the login page instead, every time.

So post your web.xml and I'll try to help you.
0
 
gokyo66Author Commented:
Well I guess there are some misunderstanding. Here I try to show how is my application structured. The folder with one star are public, with two star are restricted to registrated user, index.jsp is the main page, with explanation of the website and a form to login, as I said like EE main web page, where you can as well login if you want.

+Tomcat
   +webapp
       +myapp
        ¦
        +css
        +img
        +registration*
        +postPrj**
        +openPrj*        
        ¦
        .index.jsp
     
Now, just to clarify index.jsp is not under protected area, is public, but I tried to put that page under the tag
<form-login-page>

and as well under:

        <web-resource-collection>
             <web-resource-name>Main Area</web-resource-name>
             <url-pattern>/index.jsp</url-pattern>
             <http-method>GET</http-method>
             <http-method>POST</http-method>
        </web-resource-collection>

as you suggested me. As I said, when I enter localhost:8080/myapp I got the index.jsp page, if from that page I put my credential and then I try to access restricted area it works perfectly. The problem is if from the index.jsp page without enter my credential, try to access restricted area (in this case postPrj) it redirect me to the index.jsp page but there are no more css and image.

Hope I've been more clear.

Thx
0
 
Gibu GeorgeChief Technology OfficerCommented:
You mean in the index there is no css or images?
0
 
gokyo66Author Commented:
yep once is redirect there is no more link to my css or img folder, I mean I see everything like basic html
0
 
gokyo66Author Commented:
Anyway is a know problem I was looking on the net here an example:

http://www.artima.com/forums/flat.jsp?forum=121&thread=45510

For me is not to find a way to tricky Tomcat, is just I would like a suggestion on what could be the best solution
0
 
mrcoffee365Commented:
We need to see your entire web.xml.  I cannot help solve your problem if you don't provide enough information.

However, given what you've said so far,I think that you need to modify the security constraint for your webapp to make it behave as you might be expecting.

How much of your webapp do you want to have protected by login?  All of those pages must be marked as protected in the web.xml.  So it is possible, but unlikely, that you want to have index.jsp be a protected resource.  It's much more likely that you want other pages on the Web site to be protected.

So, looking at your webapp directory structure, you might put something like this in your web.xml to protect the postProj and openProj directories:

      <security-constraint>
        <display-name>Main Security Constraint</display-name>
        <web-resource-collection>
             <web-resource-name>Main Area</web-resource-name>
             <url-pattern>/postProj/*</url-pattern>
             <http-method>GET</http-method>
             <http-method>POST</http-method>
        </web-resource-collection>
        <auth-constraint>
            <role-name>Member</role-name>
        </auth-constraint>
      </security-constraint>
      <security-constraint>
        <display-name>Main Security Constraint</display-name>
        <web-resource-collection>
             <web-resource-name>Main Area</web-resource-name>
             <url-pattern>/openProj/*</url-pattern>
             <http-method>GET</http-method>
             <http-method>POST</http-method>
        </web-resource-collection>
        <auth-constraint>
            <role-name>Member</role-name>
        </auth-constraint>
      </security-constraint>


Then any time you try to go to a page in one of those directories, you'll be prompted with the login page.  For example, in your index.jsp page, you might have a link to:
<a href="/myapp/openProj/page1.jsp">Open a project</a>

Notice that you haven't created a link to a login page at all -- you have created a link to a protected resource, which causes Tomcat to automatically return the login page, and once login is successful, redirect the user to the desired page.  Every time thereafter, the user will be able to get to the protected page without logging in -- until the session timeout occurs.

It's extremely unlikely that you want to protect your .css files, so they don't need to be listed in your web.xml as protected resources.

By the way, what you want to do is standard behavior for Tomcat.  The example above is actually describing the documentation for Tomcat and form-based login.  
0
 
gokyo66Author Commented:
Ok following the web.xml

  <!-- Questa parte che segue si riferisce alle regole con le quali si può accedere alle risorse -->
    <security-constraint>
      <display-name>Security Constraint</display-name>
      <web-resource-collection>
         <web-resource-name>Protected Area</web-resource-name>
           <!-- Define the context-relative URL(s) to be protected -->
            <url-pattern>/jsp/postProject/*</url-pattern>
           <!-- If you list http methods, only those methods are protected -->
           <http-method>DELETE</http-method>
            <http-method>GET</http-method>
            <http-method>POST</http-method>
           <http-method>PUT</http-method>
      </web-resource-collection>

      <auth-constraint>
           <role-name>admin</role-name>
         <role-name>user</role-name>
      </auth-constraint>
        
      <user-data-constraint>
              <transport-guarantee>NONE</transport-guarantee>
      </user-data-constraint>
        
    </security-constraint>
 
    <login-config>
    <auth-method>FORM</auth-method>
    <realm-name>Form-Based Authentication</realm-name>
        <form-login-config>
          <form-login-page>/jsp/login/login.jsp</form-login-page>
          <form-error-page>/error.jsp</form-error-page>
      </form-login-config>
    </login-config>

    <security-role>
        <role-name>admin</role-name>
    </security-role>
    <security-role>
        <role-name>user</role-name>
    </security-role>


Now, if the user try to get directely to a protected resource I created a login.jsp page and works, but if the user from the main page wants to enter the username and password it dosn't work.

The part of the web application that I want to protect is just the one under 'postProject'

I don't know if I don't explain myself in a properly way (sorry but Im not english mother tongue) but to make an example as I was saying at the beginng is just the Experts-exchange website. When you insert www.experts-exchange.com you got the main page, if you try to enter in a protected area you got prompted a login page, if not you can enter your username and password directely from the main page and the get access to the whole website.

0
 
gokyo66Author Commented:
mmhhh ic... ok sounds good to me. As I said is the first time Im facing this kind of stuff (I mean web application). BTW. Thank you
0
 
mrcoffee365Commented:
You're welcome, and good luck.  
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.