Last editor: Dave Cherry, last modified: Aug 18, 2008
Tomcat and most other Java JEE servers support role based security, form based authentication and SSL. These technologies are integrated into your web application declaratively. At first the configuration for this security can look a little daughnting but once understood it is actually not difficult to configure.
This article requires an understanding of tomcat and how a JEE webapp is structured. Most of the article is structured towards tomcat, but if you use another application server, many of the concepts are the same.
For the rest of this article we will assume we have a web application setup that has the following layout, and that all pages starting with secure have to be accessed by authenticated users. However, index.jsp and pages starting with notsecure do not need authentication. userProfile.jsp is a special case and has additional content for authenticated users.
+ index.jsp
+ secure
| + secure1.jsp
| + secure2.jsp
+ mixed
| + notsecure1.jsp
| + secure3.jsp
| + userProfile.jsp
+ WEB-INF
+ web.xml
We will build up the security model slowly. In the end we will have role based security, form based authentication backed onto a database security realm. Setting up SSL is covered by another article [coming soon].
One thing to understand about role based security is that you cannot directly make a user login, instead you simply direct the user at a "secured" page and they will be logged in automatically before the content is displayed.
Although not technically required for understanding of the article, it may be useful to download the example application: uploaded/File/article9/tomcatRolebased.zip
|
September 2010 |
|
||||
|---|---|---|---|---|---|---|
| su | mo | tu | we | th | fr | sa |
| 1 | 2 | 3 | 4 | |||
| 5 | 6 | 7 | 8 | 9 | 10 | 11 |
| 12 | 13 | 14 | 15 | 16 | 17 | 18 |
| 19 | 20 | 21 | 22 | 23 | 24 | 25 |
| 26 | 27 | 28 | 29 | 30 | ||