We Keep Coding

Tomcat 7 - JDBCRealm login

I'm using the JDBCRealm with tomcat 7. I want to build a simple login page.
This is my login form:
Login Form
and my web.xml content is:
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/user/login.jsp</form-login-page>
<form-error-page>/user/login-failed.html</form-error-page>
</form-login-config>
</login-config>
I want to redirect the user to some a.jsp page once he was authenticated.
How can I do that?

Thing I understood that you want to redirect your user depends upon the role.Suppose if user is admin then he/she should be redirected to admin.jsp (for example) and if user is on manger role and he/she should be redirected to manager.jsp.
Let us suppose you have two roles admin and manager defined in your JDBCRealm
You can do this by Creating a servlet in project for example LoginServlet.java
So things you have to set are:
Create your login.jsp and login-failed.html as you mentioned.
Create to two jsp pages admin.jsp and manager.jsp under any folder in WebContent of dynamic web project
say :
WebContent/htmlPages/admin.jsp put
<h4>Welcome Admin</h4>text in body tag.
WebContent/htmlPages/manager.jsp put
<h4>Welcome Admin</h4>text in body tag.
In LoginServlet.jsp in doGet MEthod
put this simple code:
if(request.isUserInRole("admin"))
{
response.sendRedirect("htmlPages/admin.jsp");
}
if(request.isUserInRole("manager")){
response.sendRedirect("htmlPages/manager.jsp");
}
After that you have to set welcome-files as the login servletin web.xml
e.g.
Suppose IN web.xml your servlet entry is
<servlet>
<description></description>
<display-name>LoginServlet</display-name>
<servlet-name>LoginServlet</servlet-name>
<servlet-class>Fully classified name of LoginServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>LoginServlet</servlet-name>
<url-pattern>/loginServlet</url-pattern>
</servlet-mapping>
Then get url pattern from Servlet Mapping and put it in welcome file list without any slash:
like
<welcome-file-list>
<welcome-file>loginServlet</welcome-file>
</welcome-file-list>
Be sure that no slash has been included. Welcome file attribute should be without slash as i put in code loginServlet.
Run this code.:-) You would get redirected to appropriate jsp page.

You don't. That isn't how FORM authentication works. The user requests a page. If it requires authentication then they receive the login page rather than the page they requested. They then enter their credentials and if valid get presented with the page they originally requests.
If you insist on misusing the FORM authentication process you can set the landingPage attribute of the org.apache.catalina.authenticator.FormAuthenticator. See the docs (http://tomcat.apache.org/tomcat-7.0-doc/config/valve.html#Form_Authenticator_Valve) for full details.

Security-constraint web.xml url-pattern safety

I was wondering if the following configuration would be safe:
Webpages accessible at locations /ManageXXXX.do, /ManageYYYY.do, ... should only be able to be accessed by admin role, every other page is available to anyone.
I have configured the web.xml file as such:
<security-constraint>
<web-resource-collection>
<url-pattern>/Manage*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>admin</role-name>
</auth-constraint>
</security-constraint>
Now I was wondering how reliable this was to people trying to get past the security. Is this guaranteed to block my Manage* pages from unauthorized users? I'd just like to know how safe this kind of pattern matching is.

From Servlet API Specification:
http://www.jcp.org/aboutJava/communityprocess/mrel/jsr154/
SRV.11.2 Specification of Mappings
In the Web application deployment descriptor, the following syntax is used to define
mappings:
• A string beginning with a ‘/’ character and ending with a ‘/*’ suffix is used for path mapping.
• A string beginning with a ‘*.’ prefix is used as an extension mapping.
• A string containing only the ’/’ character indicates the "default" servlet of
the application. In this case the servlet path is the request URI minus the con-
text path and the path info is null.
• All other strings are used for exact matches only.
According to Servlet API Specification the pattern /Manage* is “exact matches only” and it is not what you want.
Please move all resources for role admin to /Manage/ and configure pattern <url-pattern>/Manage/*</url-pattern>

Create Registration form in Mule

I am a newbie to MuleESB. I want to create a registration form using Mule but I am stuck.
I don't know how to display index.jsp on start-up of your application. I already gone through BookStore example but couldn't get efficient information.
I created a web.xml under src->main->app->webapps->WEB-INF->web.xml
*<web-app....>
<listener>
<listener-class>org.mule.config.builders.MuleXmlBuilderContextListener</listener-class>
</listener>
<welcome-file-list>
<welcome-file>index.jsp</welcome-file>
</welcome-file-list>
</web-app>*
Any Help or suggestions.

You're missing a web application context directory under: src->main->app->webapps->WEB-INF->web.xml, ie you should have something like: src->main->app->webapps->my-context->WEB-INF->web.xml.
Follow the BookStore example carefully and you should have no difficulty reaching your goal.

GWT Fileupload Using Servlet with GUICE

We are using GWTP with Guice. I want to upload a file. For that I have written a Servlet.
I am using this GWT File UPload Example. But Servlet is not getting called. I think its the problem with GuiceFilter.
Below is my web.xml entry.
Web.xml
<listener>
<listener-class>com.nextenders.server.guice.GuiceServletConfig</listener-class>
</listener>
<filter>
<filter-name>guiceFilter</filter-name>
<filter-class>com.google.inject.servlet.GuiceFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>guiceFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<servlet>
<servlet-name>FileUploadServlet</servlet-name>
<servlet-class>com.nextenders.server.guice.actions.FileUploadServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>FileUploadServlet</servlet-name>
<url-pattern>/upload/fileUpload</url-pattern>
</servlet-mapping>
Any pointers would be great help.

If you're using Guice, you mush use Guice ServletModule class to set up your servlets.
Ex:
serve("/upload/pictures").with(PictureUploader.class);
Documentation:
http://code.google.com/p/google-guice/wiki/ServletModule
Cheers,

I found out the problem and solved on my own.
Here is the answer:
It was not the problem with the GUICE Servlet Filter.
The problem was with Coade statements placing. FileUpload com.google.gwt.user.client.ui.FileUpload should be used with FormPanel.
FileUpload must be used with FormPanel if it is to be submitted to a server.
I had used GWT file upload earlier but skipped thorough my mind.

Tomcat FORM authentication - login form not coming up as https

This is driving me nuts.
I'm using Tomcat 6, declaritive authentication, form based. No framework involved.
Everything works ok - some pages authenticated, some not, some use https, some http. Everything as I want it. EXCEPT...
I want the login page to always use https.
The login page comes up nicely as https if:
a) I go to it directly in the browser.
b) I click on a page in the application that is configured for https (and requires authentication).
BUT the login page comes up as http if:
a) I click on a page in the application that is configured for http (and requires authentication).
I've a feeling I'm up against some sort of accepted default here and that an answer might be "why would you want an https login to get to a non-https page?".
Its like this:
a) I want passwords to be encrypted.
b) I want users to login to show which role (group) they belong to in order to enable/disable parts of the web site.
c) I dont want a drop in performance due to https except where absolutely necessary.
I guess if the login page is forced to be https (like I want it to be) then there has to be a mechanism to put it back to http.
If anyone has some pointers/ideas around this whole area I'd be very very greatful.
web.xml fragments:
<security-constraint>
<display-name>Security Constraint A0S1</display-name>
<web-resource-collection>
<web-resource-name>A0S1</web-resource-name>
<url-pattern>/login/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/login/form_login.jsp</form-login-page>
<form-error-page>/login/error.jsp</form-error-page>
</form-login-config>
</login-config>

This was about ensuring login page is https even when the page requiring authentication is not set as CONFIDENTIAL in web.xml.
I've ended up writing a little servlet that allows me to switch to https (or http) rather than rely on web.xml CONFIDENTIAL config settings. The CONFIDENTIAL settings dont seem to work when you arrive at a jsp page through the login or through another servlet.
So now the config for the FORM authentication in web.xml points to a servlet (SSLSwitch) which takes a couple of arguments (url + desired protocol http/https) and redirects to the actual login page with https:
/SSLSwitch?the_url=/login/form_login.jsp&the_target=https;
/login/error.jsp
SSLSwitch Servlet active code fragment:
String contextPath = request.getContextPath();
String encodedUrl = response.encodeURL(contextPath + url);
String fullUrl = target_domain + encodedUrl;
response.sendRedirect(fullUrl);
The jsp login page itself follows the usual FORM login rules (action="j_security_check") and you end up on the requested page after login ok.
I now need to look at what I can do to improve session security after switching from https to http. Maybe a filter to check user's IP doesnt change during a session.
Steven.