1/02/2011

Simple webapp with FORM authentication and SSL

This post is similar to Simple webapp with BASIC authentication, except that this one uses form-based authentication and ssl. The required steps are as follows:

(1) configure roles and other security aspects in web.xml;

(2) administratively create the users in application server;

(3) map the roles declared in step 1 to users created in step 2, with appserver-specific descriptor;

(4) create login form for entering username and password, and error form for displaying after failed login.

This test webapp contains the servlet class, web.xml, sun-web.xml, login.html, and error.html:

TestServlet.java:
--------------------

package test;

import java.io.*;
import javax.servlet.*;
import javax.servlet.http.*;

public class TestServlet extends HttpServlet {
protected void processRequest(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
PrintWriter out = response.getWriter();
out.println("Hello from " + getServletName());
}

@Override
protected void doGet(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
processRequest(request, response);
}

@Override
protected void doPost(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
processRequest(request, response);
}
}
web.xml:
-----------
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
version="3.0">
<servlet>
<servlet-name>TestServlet</servlet-name>
<servlet-class>test.TestServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>TestServlet</servlet-name>
<url-pattern>/TestServlet</url-pattern>
</servlet-mapping>

<security-constraint>
<web-resource-collection>
<web-resource-name>secure</web-resource-name>
<url-pattern>/TestServlet</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>tester</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>

<login-config>
<auth-method>FORM</auth-method>
<realm-name>file</realm-name>
<form-login-config>
<form-login-page>/login.html</form-login-page>
<form-error-page>/error.html</form-error-page>
</form-login-config>
</login-config>

<security-role>
<role-name>tester</role-name>
</security-role>
</web-app>
sun-web.xml:
----------------
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE sun-web-app PUBLIC "-//Sun Microsystems, Inc.//DTD GlassFish Application Server 3.0 Servlet 3.0//EN" "http://www.sun.com/software/appserver/dtds/sun-web-app_3_0-0.dtd">
<sun-web-app>
<security-role-mapping>
<role-name>tester</role-name>
<principal-name>joe</principal-name>
<group-name>user</group-name>
</security-role-mapping>
</sun-web-app>
login.html:
-------------
<html>
<head>
<title>Login Form</title>
</head>
<body>
<form method="POST" action="j_security_check" >
<p>username: <input type="text" name="j_username" ></p>
<p>password: <input type="password" name="j_password" ></p>

<p>
<input type="submit" value="Submit" >
<input type="reset" value="Reset" >
</p>
</form>
</body>
</html>

error.html:
-------------
<html>
<head>
<title>Invalid user name or password</title>
</head>
<body>
<a href="login.html">Login again</a>
</body>
</html>

To create the user in GlassFish (this is the user name and password that will be entered when running it):
$ $GLASSFISH_HOME/bin/asadmin create-file-user --group user joe
Compile TestServlet class and jar up *.class, *.html and *.xml into a test.war:
WEB-INF/classes/test/TestServlet.class
WEB-INF/sun-web.xml
WEB-INF/web.xml
error.html
login.html
Copy it to $GLASSFISH_HOME/domains/domain1/autodeploy directory to deploy it. To run it go to the url http://localhost:8181/test/TestServlet. After entering the username and password, the following response is displayed:
Hello from TestServlet
If the wrong user name / password is entered, error.html will be displayed with a link to login.html for retry. 8181 is the default ssl port in GlassFish. If you use the non-secure port number 8080 in the test url, GlassFish will automatically redirect to 8181. The browser may display a warning since a self-signed cert (as opposed to one issued by certificate authority) is used to identify the GlassFish server.

4 comments:

Tony said...

can you specificate how to do (2) point please?
Thank you very much

javahowto said...

$GLASSFISH_HOME/bin/asadmin create-file-user

In Tomcat, a bunch of users are already created, see conf/tomcat-users.xml

Steve Smith said...

Great and Useful Article.

Online Java Training

Java Online Training India

Java Online Course

Java EE course

Java EE training

Best Recommended books for Spring framework

Java Interview Questions








Java Course in Chennai

Java Online Training India

Vũ Diệu Linh said...

I enjoyed on reading your blog post. Very interesting to read this article.I would like to thank you for the efforts you had made for writing this awesome article. Please visit my website, Friv 4000 Games is where all the free friv games.
Friv 4000