Rijkswatch: JSP/servlet authentication

25 May 2009

JSP/servlet authentication

You can define authentication in the web.xml deployment descriptor of a web application.

Define roles

<security-role>   
  <role-name>admin</role-name>    
</security-role>    
<security-role>    
  <role-name>boss</role-name>    
</security-role>
User definition is web container dependent.

Define protected resources

<security-constraint>   
  <display-name>Goodies</display-name>    
  <web-resource-collection>    
    <web-resource-name>Goodies</web-resource-name>    
    <description/>    
    <url-pattern>/Cookies</url-pattern>    
    <url-pattern>/Smarties/*</url-pattern>    
  </web-resource-collection>    
  <auth-constraint>    
    <description/>    
    <role-name>admin</role-name>    
    <role-name>boss</role-name>    
  </auth-constraint>    
</security-constraint>

Take care:

Is only guaranteed for cookie based sessions
Does not apply to forward and include

Define authentication method
```
<login-config>   
  <auth-method>FORM</auth-method>    
  <realm-name/>    
  <form-login-config>    
    <form-login-page>/login.jsp</form-login-page>    
    <form-error-page>/login-error.jsp</form-error-page>    
  </form-login-config>    
</login-config>
```
The authentication form is supposed to have a POST action called j_security_check and j_username and j_password input fields.
Other HTTP authentication methods are
- BASIC: clear text password (base64 encoded)
- DIGEST: hashed password (works in Firefox and IE 7+)
- CLIENT-CERT: mutual certified SSL

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

tags

java (96)

security (40)

Microsoft (33)

google (33)

Oracle (31)

DWS-4050-EE6 (23)

FJ-310 (23)

solaris (23)

Java EE (19)

SL-314-EE6 (17)

SL-351-EE5 (16)

STS-276-S10 (16)

JPA (14)

SL-370-EE6 (14)

e-commerce (14)

IntelliJ (13)

SA-300-S10 (13)

Windows (13)

OO-226 (12)

firefox (12)

legal (12)

patternsEE6 (12)

privacy (12)

sun (12)

web (12)

SL-314-EE5 (11)

UML (11)

hybris (11)

software engineering (11)

jhtp (10)

JSP (9)

netbeans (9)

network (9)

Android (8)

SL-340-EE6 (8)

SL-385 (8)

XML (8)

AI (7)

EJB (7)

cloud (7)

doodle (7)

git (7)

spring (7)

china (6)

patch (6)

patterns (6)

servlet (6)

spr420 (6)

uniway (6)

DOM (5)

JSTL (5)

MS Office (5)

SPR410 (5)

amazon (5)

belgium (5)

database (5)

glassfish (5)

google drive (5)

javascript (5)

plugins (5)

solaris 10 (5)

weblogic (5)

windows 10 (5)

GDPR (4)

Identity and Access Management (4)

JAXB (4)

JAXP (4)

Java EE 7 (4)

SL-500 (4)

adobe (4)

browser (4)

censorship (4)

chrome (4)

encryption (4)

excel (4)

facebook (4)

ide (4)

java 7 (4)

jax-rs (4)

jetbrains (4)

maven (4)

powerpoint (4)

quote (4)

search (4)

tomcat (4)

Bill Gates (3)

DB1 (3)

JUnit (3)

Java 8 (3)

MS teams (3)

MVC (3)

SAP (3)

SAX (3)

Vista (3)

Word (3)

corona (3)

design (3)

eclipse (3)

education (3)

filter (3)

fowler (3)

hacking (3)

hibernate (3)

install (3)

java 9 (3)

node.js (3)

office (3)

onenote (3)

openoffice (3)

pdf (3)

schema (3)

servlet 3 (3)

sql (3)

struts (3)

umlet (3)

unix (3)

virus (3)

Applying UML and patterns (2)

Belgacom (2)

EL (2)

Google App Engine (2)

Google drive file stream (2)

IPv4 (2)

JAX-WS (2)

JEE5 (2)

JSF (2)

JSON (2)

Jakarta EE (2)

Java EE5 (2)

Java EE6 (2)

PATH (2)

RAID (2)

REST (2)

SMF (2)

SOAPUI (2)

agile (2)

anti-virus (2)

apache (2)

apple (2)

architecture (2)

canon pixma (2)

certification (2)

cookies (2)

credential manager (2)

cygwin (2)

derby (2)

devoxx (2)

disk (2)

dns (2)

drupal (2)

e-gov (2)

ecology (2)

eid (2)

electronic identity card (2)

enum (2)

europe (2)

free speech (2)

google maps (2)

gwt (2)

icann (2)

iphone (2)

itunes (2)

light field camera (2)

linkedIn (2)

linux (2)

logging (2)

lucene (2)

lytro (2)

microservices (2)

mobile (2)

newspapers (2)

olympics (2)

open software (2)

photo (2)

porn (2)

printer (2)

routing (2)

russia (2)

searchblox (2)

site (2)

solaris 11 (2)

spam (2)

spring boot (2)

springsource (2)

unified process (2)

us (2)

webservices (2)

wikileaks (2)

xpath (2)

yahoo (2)

.Net (1)

12.1.2 (1)

5.1 (1)

64bit (1)

7.4 (1)

7u51 (1)

9/11 (1)

ANSI SQL (1)

BDD (1)

BEA (1)

Babbage (1)

CERN (1)

CMS (1)

Calendra (1)

ClearApp (1)

ConnectionPool (1)

Covalent (1)

Craig Larman (1)

DAO (1)

DRM (1)

DSL (1)

DTD (1)

DataSource (1)

Defect Driven Design (1)

EDAM (1)

EDF (1)

EDPS (1)

EE4J (1)

EJB client (1)

EJB2 (1)

EJB3 (1)

ESB (1)

ESM (1)

Flex (1)

Floyd Landis (1)

GCHQ (1)

GPL (1)

GUI (1)

Gears (1)

GlobalCollect (1)

Google Apps (1)

Google docs (1)

Greenpeace (1)

HP (1)

HTML (1)

HTML 5 (1)

IPMP (1)

ISOC (1)

Igenico (1)

JAVA_HOME (1)

JDBC (1)

JSR (1)

JavaFX (1)

Jshell (1)

Keccak (1)

LexicalHandler (1)

Luminus (1)

MDA (1)

MDB (1)

MySQL (1)

NFC (1)

NSA (1)

OAuth (1)

OMG (1)

OO (1)

ORM (1)

OSI (1)

Ogone (1)

OpenIndiana (1)

OpenSolaris (1)

PAC (1)

POSIX (1)

PPID (1)

Passlogix (1)

QR code (1)

RDISC (1)

RIP (1)

RSA (1)

RTBF (1)

Rosario (1)

SABAM (1)

SCBCD (1)

SDL (1)

SHA-3 (1)

SII (1)

SL-275 (1)

SL-285 (1)

SOA (1)

SOAP UI (1)

SUA (1)

ServletContextListener (1)

Sybase (1)

TCPIP (1)

TV (1)

Tour de France (1)

TypeScript (1)

Virtual Clone Drive (1)

Visual Studio (1)

Vue.js (1)

WSDL (1)

WebGL (1)

Word 2007 (1)

absorbtiekussen (1)

acquia (1)

acquisition (1)

acrobat (1)

action (1)

adblock (1)

adidas (1)

adobe marketing cloud (1)

adoptopenjdk (1)

advertising (1)

android studio (1)

annotations (1)

ant (1)

antikera (1)

april fools day (1)

aqua (1)

archeology (1)

arthur weasley (1)

assessment (1)

assistive technology (1)

astah (1)

astronomy (1)

asynchronous (1)

automation (1)

awt (1)

bash (1)

beer (1)

big data (1)

blended learning (1)

blogger (1)

brain (1)

builder (1)

canvas (1)

canvas LMS (1)

captcha (1)

caroussel (1)

cartoon (1)

chat (1)

chip (1)

civilization (1)

civworld (1)

classloader (1)

classpath (1)

cmd (1)

cmmi (1)

cognitum (1)

coica (1)

coin (1)

commercial (1)

commission (1)

contact tracing (1)

content filter (1)

copyleft (1)

copyright (1)

corrupted (1)

course (1)

cream (1)

criteria (1)

css (1)

customer experience (1)

customer journey (1)

dabbleboard (1)

daemen (1)

dagvers (1)

date (1)

defender (1)

deprecated (1)

digsby (1)

disconnect (1)

docx (1)

dos (1)

dozer (1)

drive letter (1)

dzone (1)

e-book (1)

earth day (1)

eclipse4sl (1)

epf (1)

epic (1)

erd (1)

ethernet (1)

etl (1)

eventviewer (1)

exams (1)

extensions (1)

figma (1)

find (1)

fingerprinting (1)

fleet (1)

font awesome (1)

forefront (1)

forrester (1)

geocache (1)

gherkin (1)

github (1)

gitlab (1)

gmail (1)

google photos (1)

google presentations (1)

google scribe (1)

google slides (1)

google talk (1)

gosling (1)

gradle (1)

grails (1)

groovy (1)

harry potter (1)

hiking (1)

hosting (1)

hostname (1)

hotmail (1)

html editor (1)

ian dury (1)

ie (1)

ifconfig (1)

ighome (1)

igoogle (1)

implants (1)

indigov (1)

inetd (1)

ink absorber (1)

intel (1)

interceptors (1)

internet (1)

ipv6 (1)

iso (1)

itsme (1)

java 10 (1)

java 12 (1)

java 14 (1)

java 15 (1)

java 16 (1)

java db (1)

java webstart (1)

java.nio.file (1)

java.policy (1)

javapath (1)

javaranch (1)

jdk (1)

jersey (1)

jest (1)

jetpack compose (1)

jms (1)

jobat (1)

joda time (1)

joke (1)

jpeg (1)

jpg (1)

jsr315 (1)

jsr339 (1)

keyboard (1)

kotlin (1)

la plagne (1)

larry ellison (1)

ldap (1)

lego (1)

library (1)

libreoffice (1)

life cycle callback (1)

lists (1)

live upgrade (1)

localdatetime (1)

log4j (1)

login (1)

logon (1)

london (1)

magnolia (1)

mail (1)

man (1)

markdown (1)

markdown enhanced plugin (1)

marvin attack (1)

mcafee (1)

mdm (1)

medicine (1)

mercurial (1)

model 2 (1)

mono (1)

mono sans symbols (1)

moonlight (1)

morro (1)

moshi (1)

mousegestures (1)

msn (1)

musk (1)

myriam makeba (1)

namespace (1)

neo (1)

netflix (1)

nethack (1)

neuralink (1)

newspass (1)

node.js v10 (1)

noopener (1)

nosql (1)

notes font (1)

npm (1)

ntp (1)

nuclear energy (1)

object relational mapping (1)

objectify (1)

online payment (1)

open grid scheduler (1)

openjdk (1)

openup (1)

oracle express (1)

oracle grid engine (1)

outlook (1)

page breaks (1)

password (1)

patents (1)

pca (1)

pedophilia (1)

performance (1)

phone (1)

pidgin (1)

pin to start (1)

power button (1)

powershell (1)

prince2 (1)

print (1)

protect IP (1)

proxy (1)

public domain software (1)

public transport (1)

pulse (1)

push (1)

quantum holographic encoding (1)

quantum physics (1)

real-time presence (1)

reasons to be (1)

record (1)

retail (1)

rider (1)

routeyou (1)

salesforce (1)

scam (1)

screen reader (1)

scrum (1)

self driving cars (1)

seo (1)

sequencediagram (1)

serge vleugels (1)

servlets (1)

session bean (1)

sha-1 (1)

sha-2 (1)

silverlight (1)

sint-niklaas (1)

ski (1)

slack (1)

slf4j (1)

smpatch (1)

sms (1)

sniff (1)

solr (1)

sports (1)

spring boot devtools (1)

spring data (1)

spring web flow (1)

sql developer (1)

ssh (1)

stack overflow (1)

staroffice (1)

start menu (1)

stijn de paepe (1)

storage (1)

strata (1)

streetview (1)

stub (1)

subversion (1)

sudan (1)

sun grid engine (1)

sunos (1)

surface (1)

swing (1)

syria (1)

tabniine (1)

tax on web (1)

teaching (1)

telesys (1)

terminalio (1)

tiktok (1)

tiles (1)

time (1)

tns (1)

tommee (1)

toots thielemans (1)

toughtworks (1)

trump (1)

ts-node (1)

tsx (1)

turkey (1)

tutoraat (1)

twitter (1)

uac (1)

uk (1)

univa (1)

unnethack (1)

upgrade (1)

usb (1)

user experience (1)

versioning (1)

vietnam (1)

vim (1)

virtual box (1)

vitest (1)

vox teneo (1)

vrt.nu (1)

vtoc (1)

web flow (1)

web server (1)

web-types (1)

websites (1)

websockets (1)

webstorm (1)

whiteboard (1)

wifi (1)

windows 11 (1)

wlntio.dll (1)

xp (1)

xpg4 (1)

youtube (1)

zap mama (1)

zfs (1)

zones (1)

zuckerberg (1)