?
Solved

JSP Login page suggestion

Posted on 2009-04-21
19
Medium Priority
?
555 Views
Last Modified: 2013-12-02
Hi there,
I made a webpage where in the index.jsp there are also two field to get authenticated. I use the authentication based on FORM with JDBCRealm. Now it's clear for me that I cannot go directly to login page to login coz if not I got the message "Invalid direct reference to form login page".

Now since Im new on this kind of stuff, and basically I don't want to change my index.jsp main page, what is the best solution to adopt, in order to keep the index.jsp the main page and the one that the user can loging (as for EE website)?

Thnx in advance
Roberto

0
Comment
Question by:gokyo66
  • 8
  • 6
  • 5
19 Comments
 
LVL 12

Expert Comment

by:Gibu George
ID: 24195758
add this in your web.xml


FORM
web-console
<form-login-config>
<form-login-page>/index.jsp</form-login-page>
<form-error-page>/index.jsp?error=yes</form-error-page>
</form-login-config>
0
 
LVL 12

Expert Comment

by:Gibu George
ID: 24195771
this also


CSF
/*


Administrator
user

0
 
LVL 27

Expert Comment

by:mrcoffee365
ID: 24195780
The way it works is that you specify that index.jsp is protected by a security role, and Tomcat requires the user to login using your specified login page.  This is done in your webapp's web.xml (which is in your ROOT/WEB-INF directory).

For example:

      <security-constraint>
        <display-name>Main Security Constraint</display-name>
        <web-resource-collection>
             <web-resource-name>Main Area</web-resource-name>
             <url-pattern>/index.jsp</url-pattern>
             <http-method>GET</http-method>
             <http-method>POST</http-method>
        </web-resource-collection>
        <auth-constraint>
            <role-name>Member</role-name>
        </auth-constraint>
      </security-constraint>

      <login-config>
        <auth-method>FORM</auth-method>
        <realm-name>Example Form-Based Authentication Area</realm-name>
        <form-login-config>
            <form-login-page>/pathtoyour/login.jsp</form-login-page>
            <form-error-page>pathtoyour/error.jsp</form-error-page>
        </form-login-config>
      </login-config>

      <security-role>
            <description>The role that is required to log in to Main Area
            </description>
            <role-name>Member</role-name>
      </security-role>
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 

Author Comment

by:gokyo66
ID: 24196028
Thnx guy for the support. Im referring to the mrcofee365 answer.

Actually is what I did, but works half a way. If I enter in the index.jsp the credential it works, I can navigate to all the restricted areas, but if I tried to get access to a restricted area before inserting the credentials the index.jsp page is shown but there is not all the layout stuff related to (css) or image anything of that kind...
0
 
LVL 27

Expert Comment

by:mrcoffee365
ID: 24196891
Then you've mis-specified something.  With the correct specification, you will not be able to see index.jsp at all unless you're logged in.

You'll probably need to post your web.xml, the file location of your index.jsp and .css files to start.  You might not have the url pattern for your index.jsp file right.
0
 
LVL 12

Expert Comment

by:Gibu George
ID: 24197025

<security-constraint>
<web-resource-collection>
<web-resource-name>unchecked access</web-resource-name>
<url-pattern>/css/*.css</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>

this will exclude all the css in the css folder to have unchecked access
0
 

Author Comment

by:gokyo66
ID: 24198571
Sorry but I don't get this:
"With the correct specification, you will not be able to see index.jsp at all unless you're logged in"

Actually the index.jsp is the page where there are the field used to login, how come that I should'nt see the index.jsp.


For gibu george
--------------------
I did as you suggested me, but in this case when I open the first time my web page all the css are disabled
0
 
LVL 12

Expert Comment

by:Gibu George
ID: 24198916
> when I open the first time

What do you mean by this? On refresh is it working or on login?
0
 

Author Comment

by:gokyo66
ID: 24199048
"When I open the first time" means when the first time I open the webbrowser and I insert localhost:8080/myapp. The difference from before is that before when I open it I see everything in a properly way is just after I try to access a protected web page that redirect to the main page and is no more with css
0
 
LVL 27

Expert Comment

by:mrcoffee365
ID: 24199737
As I mentioned previously, post your web.xml and the directory structure with your index.jsp.  You've specified something incorrectly, because you should not be able to get to index.jsp if you've said that it's a protected resource.

You asked what that means:
If a url is protected by login, the user cannot see the url until the user has logged in.  So if you correctly specified the security constraint in your web.xml, then users should not be able to see the page at all until they have logged in.  They'll see the login page instead, every time.

So post your web.xml and I'll try to help you.
0
 

Author Comment

by:gokyo66
ID: 24202300
Well I guess there are some misunderstanding. Here I try to show how is my application structured. The folder with one star are public, with two star are restricted to registrated user, index.jsp is the main page, with explanation of the website and a form to login, as I said like EE main web page, where you can as well login if you want.

+Tomcat
   +webapp
       +myapp
        ¦
        +css
        +img
        +registration*
        +postPrj**
        +openPrj*        
        ¦
        .index.jsp
     
Now, just to clarify index.jsp is not under protected area, is public, but I tried to put that page under the tag
<form-login-page>

and as well under:

        <web-resource-collection>
             <web-resource-name>Main Area</web-resource-name>
             <url-pattern>/index.jsp</url-pattern>
             <http-method>GET</http-method>
             <http-method>POST</http-method>
        </web-resource-collection>

as you suggested me. As I said, when I enter localhost:8080/myapp I got the index.jsp page, if from that page I put my credential and then I try to access restricted area it works perfectly. The problem is if from the index.jsp page without enter my credential, try to access restricted area (in this case postPrj) it redirect me to the index.jsp page but there are no more css and image.

Hope I've been more clear.

Thx
0
 
LVL 12

Expert Comment

by:Gibu George
ID: 24202947
You mean in the index there is no css or images?
0
 

Author Comment

by:gokyo66
ID: 24202963
yep once is redirect there is no more link to my css or img folder, I mean I see everything like basic html
0
 

Author Comment

by:gokyo66
ID: 24203030
Anyway is a know problem I was looking on the net here an example:

http://www.artima.com/forums/flat.jsp?forum=121&thread=45510

For me is not to find a way to tricky Tomcat, is just I would like a suggestion on what could be the best solution
0
 
LVL 27

Expert Comment

by:mrcoffee365
ID: 24204746
We need to see your entire web.xml.  I cannot help solve your problem if you don't provide enough information.

However, given what you've said so far,I think that you need to modify the security constraint for your webapp to make it behave as you might be expecting.

How much of your webapp do you want to have protected by login?  All of those pages must be marked as protected in the web.xml.  So it is possible, but unlikely, that you want to have index.jsp be a protected resource.  It's much more likely that you want other pages on the Web site to be protected.

So, looking at your webapp directory structure, you might put something like this in your web.xml to protect the postProj and openProj directories:

      <security-constraint>
        <display-name>Main Security Constraint</display-name>
        <web-resource-collection>
             <web-resource-name>Main Area</web-resource-name>
             <url-pattern>/postProj/*</url-pattern>
             <http-method>GET</http-method>
             <http-method>POST</http-method>
        </web-resource-collection>
        <auth-constraint>
            <role-name>Member</role-name>
        </auth-constraint>
      </security-constraint>
      <security-constraint>
        <display-name>Main Security Constraint</display-name>
        <web-resource-collection>
             <web-resource-name>Main Area</web-resource-name>
             <url-pattern>/openProj/*</url-pattern>
             <http-method>GET</http-method>
             <http-method>POST</http-method>
        </web-resource-collection>
        <auth-constraint>
            <role-name>Member</role-name>
        </auth-constraint>
      </security-constraint>


Then any time you try to go to a page in one of those directories, you'll be prompted with the login page.  For example, in your index.jsp page, you might have a link to:
<a href="/myapp/openProj/page1.jsp">Open a project</a>

Notice that you haven't created a link to a login page at all -- you have created a link to a protected resource, which causes Tomcat to automatically return the login page, and once login is successful, redirect the user to the desired page.  Every time thereafter, the user will be able to get to the protected page without logging in -- until the session timeout occurs.

It's extremely unlikely that you want to protect your .css files, so they don't need to be listed in your web.xml as protected resources.

By the way, what you want to do is standard behavior for Tomcat.  The example above is actually describing the documentation for Tomcat and form-based login.  
0
 

Author Comment

by:gokyo66
ID: 24205147
Ok following the web.xml

  <!-- Questa parte che segue si riferisce alle regole con le quali si può accedere alle risorse -->
    <security-constraint>
      <display-name>Security Constraint</display-name>
      <web-resource-collection>
         <web-resource-name>Protected Area</web-resource-name>
           <!-- Define the context-relative URL(s) to be protected -->
            <url-pattern>/jsp/postProject/*</url-pattern>
           <!-- If you list http methods, only those methods are protected -->
           <http-method>DELETE</http-method>
            <http-method>GET</http-method>
            <http-method>POST</http-method>
           <http-method>PUT</http-method>
      </web-resource-collection>

      <auth-constraint>
           <role-name>admin</role-name>
         <role-name>user</role-name>
      </auth-constraint>
        
      <user-data-constraint>
              <transport-guarantee>NONE</transport-guarantee>
      </user-data-constraint>
        
    </security-constraint>
 
    <login-config>
    <auth-method>FORM</auth-method>
    <realm-name>Form-Based Authentication</realm-name>
        <form-login-config>
          <form-login-page>/jsp/login/login.jsp</form-login-page>
          <form-error-page>/error.jsp</form-error-page>
      </form-login-config>
    </login-config>

    <security-role>
        <role-name>admin</role-name>
    </security-role>
    <security-role>
        <role-name>user</role-name>
    </security-role>


Now, if the user try to get directely to a protected resource I created a login.jsp page and works, but if the user from the main page wants to enter the username and password it dosn't work.

The part of the web application that I want to protect is just the one under 'postProject'

I don't know if I don't explain myself in a properly way (sorry but Im not english mother tongue) but to make an example as I was saying at the beginng is just the Experts-exchange website. When you insert www.experts-exchange.com you got the main page, if you try to enter in a protected area you got prompted a login page, if not you can enter your username and password directely from the main page and the get access to the whole website.

0
 
LVL 27

Accepted Solution

by:
mrcoffee365 earned 400 total points
ID: 24210673
Great -- that's much more information, and explains what the problem is.

First, a minor point  -- isn't your error page in the /jsp directory as well?  You have
/jsp/login/login.jsp
for login and
/error.jsp
for error.   Your error.jsp page should be almost identical to login.jsp, but with the error message displayed with it that says "wrong user name and password."

Second -- putting a login form on a page that is not protected by Tomcat means that you have to understand more about the form-based login behavior of Tomcat.  You have to write some extra application code, which if you look at the experts-exchange site, they have.

The typical way to write this for Tomcat is to create a jsp or servlet which receives the username and password, puts the requested url and username and password in session attributes (or parameters on the url), then redirects to a protected page.

By forwarding to a protected page, you're invoking Tomcat's form-based login, which is what you want.

However, it sounds as if you want to log the user in, but not necessarily send them to a protected page.  If that's the case, then create a protected page, and all it does is redirect where you want the user to go.  Either it's the home page again, or some special landing page for logged in users -- whatever works best for your webapp.

0
 

Author Closing Comment

by:gokyo66
ID: 31572806
mmhhh ic... ok sounds good to me. As I said is the first time Im facing this kind of stuff (I mean web application). BTW. Thank you
0
 
LVL 27

Expert Comment

by:mrcoffee365
ID: 24215170
You're welcome, and good luck.  
0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article is about some of the basic and important steps to be used to improve the performance in web-sphere commerce application development. 1) Always leverage the Dyna-caching facility provided by the product 2) Remove the unwanted code …
Introduction This article is the first of three articles that explain why and how the Experts Exchange QA Team does test automation for our web site. This article explains our test automation goals. Then rationale is given for the tools we use to a…
The viewer will learn how to implement Singleton Design Pattern in Java.
This tutorial covers a practical example of lazy loading technique and early loading technique in a Singleton Design Pattern.
Suggested Courses
Course of the Month13 days, 20 hours left to enroll

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question