Form authentication with Tomcat
I am trying to implement form based authentication with Tomcat. All my secured servlets are mapped under mydomain/myapp. I am able to secure this directory by following the basic tutorials and specifying the login and login_failed pages.
My problem is that I want an unsecured mydomain/index.html that contains the username/password forms 开发者_如何学JAVAso that a visitor can login from there. My best attempt so far doesn't work:
<form method="POST" action="myapp/">
Username: <input type="text" name="j_username"> <br/>
Password: <input type="password" name="j_password">
<input type="submit" value="Login">
</form>
Any suggestions?
Edit: Authentication works in the sense that if you try to access mydomain/myapp you get redirected to a login page. What I don't understand is how to allow the user to login without first attempting to access the protected pages.
Read paragraph 13.5.3.1 of the servlet specicification. It says : "In order for the authentication to proceed appropriately, the action of the login form must always be j_security_check".
So you have to change the action of your login form. It has to be j_security_check.
When user tries to access your secured resource (securedPage.jsp), they will be taken to your login page (login.jsp, for example). They will enter user name and password, then click 'Submit'. The form will be submitted using action j_security_check. This is what Container provides. So if the login is successfull, the user will be redirected to securedPage.jsp, otherwise he will be redirected to the error page, that you also have
in the web.xml
where you declare the security, you should declare it for both,
secured resource and open resource.
just when declaring the open resource you don't write the 'aut-constaint' tags
for example the secured resource:
<security-constraint>
<web-resource-collection>
<web-resource-name>restricted</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>*</role-name>
</auth-constraint>
</security-constraint>
and for the open resource:
<security-constraint>
<web-resource-collection>
<web-resource-name>open</web-resource-name>
<url-pattern>/path/to/open/resource</url-pattern>
</web-resource-collection>
</security-constraint>
精彩评论