S
Scott
I am trying to create a web application called hotdotcom. It is an example from Hall’s Core Servlets and JavaServer Pages Volume 2: Advanced Technologies - Second Edition. It is found in Chapter 3: Declarative Security – 3.1 Form-Based Authentication.
The web application uses container-managed security: From-based. The web.xml is below. I am running Tomcat 3.3.1 on my PC. When I click a protected URL I receive the login form just fine, but when I fill it out I am always sent to my login-error.jsp page. I have added four users to Tomcat’s <install_dir>conf/tomcat-users.xml file. (Also below)
I receive the following statement in the Tomcat log:
2013-02-25 08:30:22 - Http10Interceptor: Starting on 8080
2013-02-25 08:30:22 - Ajp12Interceptor: Starting on 8007
2013-02-25 08:30:22 - Ajp13Interceptor: Starting on 8009
EmbededTomcat: Startup time 56
2013-02-25 08:31:46 - SessionIdGenerator: Created random class java.security.Sec
ureRandom
2013-02-25 08:31:59 - Ctx(/hotdotcom) : From login without a session
web.xml
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE web-app
PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.2//EN"
"http://java.sun.com/j2ee/dtds/web-app_2_2.dtd">
<web-app>
<!-- Disable the invoker servlet -->
<servlet>
<servlet-name>NoInvoker</servlet-name>
<servlet-class>coreservlets.NoInvokerServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>NoInvoker</servlet-name>
<url-pattern>/servlet/*</url-pattern>
</servlet-mapping>
<!-- If the URL (submitted by the client) gives a directory but no filename, try index.jsp first and
index.html second. If neither is found, the result is server specific (e.g., a directory listing). -->
<welcome-file-list>
<welcome-file>index.jsp</welcome-file>
<welcome-file>index.html</welcome-file>
</welcome-file-list>
<!-- Propect everyting within the "investing" directory -->
<security-constraint>
<web-resource-collection>
<web-resource-name>Investing</web-resource-name>
<url-pattern>/investing/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>registered-user</role-name>
<role-name>administrator</role-name>
</auth-constraint>
</security-constraint>
<!-- Tell the server to use form-based authentication -->
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/admin/login.jsp</form-login-page>
<form-error-page>/admin/login-error.jsp</form-error-page>
</form-login-config>
</login-config>
<!-- Declare security roles used in this application.-->
<security-role>
<role-name>administrator</role-name>
</security-role>
<security-role>
<role-name>registered-user</role-name>
</security-role>
</web-app>
tomcat-users.xml
<tomcat-users>
<!-- 2/4/2013 SDU Added on 2/4/2013 -->
<role rolename="registered-user" />
<role rolename="administrator" />
<user name="john" password="nhoj" roles="registered-user" />
<user name="jane" password="enaj" roles="registered-user" />
<user name="juan" password="nauj" roles="administrator" />
<user name="juana" password="anauj" roles="administrator,registered-user" />
<!-- Original contents of tomcat-users.xml-->
<user name="tomcat" password="tomcat" roles="tomcat" />
<user name="role1" password="tomcat" roles="role1" />
<user name="both" password="tomcat" roles="tomcat,role1" />
</tomcat-users>
The web application uses container-managed security: From-based. The web.xml is below. I am running Tomcat 3.3.1 on my PC. When I click a protected URL I receive the login form just fine, but when I fill it out I am always sent to my login-error.jsp page. I have added four users to Tomcat’s <install_dir>conf/tomcat-users.xml file. (Also below)
I receive the following statement in the Tomcat log:
2013-02-25 08:30:22 - Http10Interceptor: Starting on 8080
2013-02-25 08:30:22 - Ajp12Interceptor: Starting on 8007
2013-02-25 08:30:22 - Ajp13Interceptor: Starting on 8009
EmbededTomcat: Startup time 56
2013-02-25 08:31:46 - SessionIdGenerator: Created random class java.security.Sec
ureRandom
2013-02-25 08:31:59 - Ctx(/hotdotcom) : From login without a session
web.xml
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE web-app
PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.2//EN"
"http://java.sun.com/j2ee/dtds/web-app_2_2.dtd">
<web-app>
<!-- Disable the invoker servlet -->
<servlet>
<servlet-name>NoInvoker</servlet-name>
<servlet-class>coreservlets.NoInvokerServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>NoInvoker</servlet-name>
<url-pattern>/servlet/*</url-pattern>
</servlet-mapping>
<!-- If the URL (submitted by the client) gives a directory but no filename, try index.jsp first and
index.html second. If neither is found, the result is server specific (e.g., a directory listing). -->
<welcome-file-list>
<welcome-file>index.jsp</welcome-file>
<welcome-file>index.html</welcome-file>
</welcome-file-list>
<!-- Propect everyting within the "investing" directory -->
<security-constraint>
<web-resource-collection>
<web-resource-name>Investing</web-resource-name>
<url-pattern>/investing/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>registered-user</role-name>
<role-name>administrator</role-name>
</auth-constraint>
</security-constraint>
<!-- Tell the server to use form-based authentication -->
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/admin/login.jsp</form-login-page>
<form-error-page>/admin/login-error.jsp</form-error-page>
</form-login-config>
</login-config>
<!-- Declare security roles used in this application.-->
<security-role>
<role-name>administrator</role-name>
</security-role>
<security-role>
<role-name>registered-user</role-name>
</security-role>
</web-app>
tomcat-users.xml
<tomcat-users>
<!-- 2/4/2013 SDU Added on 2/4/2013 -->
<role rolename="registered-user" />
<role rolename="administrator" />
<user name="john" password="nhoj" roles="registered-user" />
<user name="jane" password="enaj" roles="registered-user" />
<user name="juan" password="nauj" roles="administrator" />
<user name="juana" password="anauj" roles="administrator,registered-user" />
<!-- Original contents of tomcat-users.xml-->
<user name="tomcat" password="tomcat" roles="tomcat" />
<user name="role1" password="tomcat" roles="role1" />
<user name="both" password="tomcat" roles="tomcat,role1" />
</tomcat-users>