Declarative Role based security in j2ee websphere

Hi Experts,

I have been trying to get the declarative security in J2e to work and not able to do so. The request pattern doesnt work, the application is letting users in to unauthorized jsps as well. But i can see that the role itself is obtained right. Meaning if I do request.isInRole returns the right role info in the servlet.

Can someone suggest me as to where to look for pointers. Here is my web.xml and app.xml.
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE web-app PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN" "http://java.sun.com/dtd/web-app_2_3.dtd">
<web-app id="WebApp">
	<display-name>GatewayApp</display-name>
	<context-param>
		<param-name>administratorURL</param-name>
		<param-value>/Myadmin</param-value>
		<description>Administrator module path</description>
	</context-param>
	<context-param>
		<param-name>authorURL</param-name>
		<param-value>/Myauthor</param-value>
		<description>Author module path</description>
		
	</context-param>
	<filter>
		<filter-name>ManagerGatewayFilter</filter-name>
		<display-name>ManagerGatewayFilter</display-name>
		<filter-class>bean.ManagerGatewayFilter</filter-class>
	</filter>
	<filter>
		<filter-name>loginFilter</filter-name>
		<display-name>loginFilter</display-name>
		<filter-class>bean.loginFilter</filter-class>
	</filter>
	<filter-mapping>
		<filter-name>loginFilter</filter-name>
		<url-pattern>/loginFilter</url-pattern>
	</filter-mapping>
	<filter-mapping>
		<filter-name>loginFilter</filter-name>
		<url-pattern>/j_security_check</url-pattern>
	</filter-mapping>
	<listener>
		<listener-class>bean.TestListener</listener-class>
	</listener>
	<servlet>
		<servlet-name>MannualInvalidateSession</servlet-name>
		<display-name>MannualInvalidateSession</display-name>
		<servlet-class>bean.MannualInvalidateSession</servlet-class>
	</servlet>
	<servlet-mapping>
		<servlet-name>MannualInvalidateSession</servlet-name>
		<url-pattern>/MannualInvalidateSession</url-pattern>
	</servlet-mapping>	
	<session-config>
		<session-timeout>5</session-timeout>
	</session-config>
	<welcome-file-list>
		<welcome-file>managerHome.jsp</welcome-file>
		<!--<welcome-file>managerHome.jsp</welcome-file>-->
	</welcome-file-list>
	<error-page>
		<error-code>404</error-code>
		<location>/404.jsp</location>
	</error-page>
	<resource-ref id="ResourceRef_1263312544187">
		<description>Indirect JNDI reference</description>
		<res-ref-name>jdbc/mgrdsn</res-ref-name>
		<res-type>javax.sql.DataSource</res-type>
		<res-auth>Application</res-auth>
		<res-sharing-scope>Shareable</res-sharing-scope>
	</resource-ref>	
	<security-constraint>
		<web-resource-collection>
		<web-resource-name>ManagerResources</web-resource-name>
			<description>The Manager Resources</description>
			<url-pattern>/</url-pattern>
			<url-pattern>/aboutbox.jsp</url-pattern>
			<url-pattern>/main.jsp</url-pattern>
			<url-pattern>/index.jsp</url-pattern>
			<http-method>GET</http-method>
		</web-resource-collection>
		<auth-constraint>
			<description></description>
			<role-name>MgrUserRole</role-name>
			<role-name>PublicUser</role-name>
		</auth-constraint>
	</security-constraint>
	
	<login-config>
		<auth-method>FORM</auth-method>
		<form-login-config>
			<form-login-page>/login.jsp</form-login-page>
			<form-error-page>/loginError.jsp</form-error-page>
		</form-login-config>
	</login-config>
	<security-role>
		<description></description>
		<role-name>MgrUserRole</role-name>
	</security-role>
	<security-role>
		<description></description>
		<role-name>PublicUser</role-name>
	</security-role>
	
	
</web-app>










<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE application PUBLIC "-//Sun Microsystems, Inc.//DTD J2EE Application 1.3//EN" "http://java.sun.com/dtd/application_1_3.dtd">
<application id="Application_ID">
	<display-name>manager_GTW</display-name>
	<module id="WebModule_1232571342612">
		<web>
			<web-uri>ManagerGateway.war</web-uri>
			<context-root>manager</context-root>
		</web>
	</module>
	<module id="WebModule_1232571342613">
		<web>
			<web-uri>dbcredentials.war</web-uri>
			<context-root>manager/lmu</context-root>
		</web>
	</module>
	<module id="WebModule_1232571342614">
		<web>
			<web-uri>manager.war</web-uri>
			<context-root>manager/Mymanager</context-root>
		</web>
	</module>
	<security-role id="SecurityRole_1260484657609">
		<description></description>
		<role-name>MgrUserRole</role-name>
	</security-role>
	<security-role id="SecurityRole_1270843993062">
		<role-name>AuthorUserRole</role-name>
	</security-role>
</application>

Open in new window

bcisystemsAsked:
Who is Participating?
 
mrcoffee365Connect With a Mentor Commented:
When I do a simple test of your security-constraint patterns, they work fine -- all access to the root directory requires a login.

However, one thing is a little peculiar -- your login page is in the same directory where you require a login.  Try putting it in a public directory of your webapp, which would require changing your rules a little.

Usually people have public and private subdirectories under their webapps.  The login and login error pages are public, and the rest are private.

I haven't tested your protected login, because I don't want to create an entire login env to check your code.  But it does look odd to me.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.