Scribd
Upload
75 views

Using Security Constraint in Web - XML File

The document discusses different approaches to adding security to a web application: 1. Using security constraints in the web.xml file to restrict access to pages based on roles defined in tomcat-users.xml. 2. Implementing SSL using the sslext plugin and jars to encrypt communication. 3. Controlling access from the front-end by checking for a session variable on page load and redirecting to the login if not present. The approaches were tested on a sample application with varying results, with security constraints providing the most robust access control and front-end checks working for most users but allowing some access without logging in. Implementing SSL is also discussed.

Uploaded by

satyanarayana
Copyright
© Attribution Non-Commercial (BY-NC)
Available Formats
Download as DOC or read online on Scribd
75 views

Using Security Constraint in Web - XML File

The document discusses different approaches to adding security to a web application: 1. Using security constraints in the web.xml file to restrict access to pages based on roles defined in tomcat-users.xml. 2. Implementing SSL using the sslext plugin and jars to encrypt communication. 3. Controlling access from the front-end by checking for a session variable on page load and redirecting to the login if not present. The approaches were tested on a sample application with varying results, with security constraints providing the most robust access control and front-end checks working for most users but allowing some access without logging in. Implementing SSL is also discussed.

Uploaded by

satyanarayana
Copyright
© Attribution Non-Commercial (BY-NC)
Available Formats
Download as DOC or read online on Scribd
You are on page 1/ 3

After R& D on Security Constraint, SSL, and Front End Control using Sessions

Using Security Constraint in Web.xml file

1. Edit tomcat-users.xml file in Tomcat \ confi director by adding the following


entries.

<tomcat-users>
----------------------
-------------------------
<role rolename = “fsl”/>
<role rolename = “sls”/>
<role rolename = “bck”/>

<user name = “fcms” password =”fcms” roles =”fls, sls, bck” />

2. Coming to the Deployment Descriptor (web.xml) file

1. In netbeans 5.5 of open web.mxl file of the web application

2. Select Security Tab in that


Expand Security Roles and Add Roles such as fls, sls, bck

3. Add then click the Add Security Constraint

a. Display Name : some name


b. Web Resources Collection – Resource Name : LoginRestrict
c. url pattern - /*.jsp
d. methods : GET / POST or Select all Methods

4. Enable Authnetication Constraint


a. Click the Button Edit , it will opens Edit Role Names
b. Now select each Role and Add ( Roles that we addes in Security Role)

5. Enable User Data Constraint


a. Select Transport Guarantee to : NONE or CONFIDENTIAL
Documentation for SSL ( in our perspective, our conclusion is , it is useful for Struts
based Web Application only )

Required : 1. sslext.jar, sslext.tld files

1. We have to place sslext.jar in our Libraries

2. We have to place sslext.tld in WEB-INF

3. Add the following Plug-in in Struts-Config.xml file

<!-- ========================= SSL plugin ==================== -->

<plug-in className="org.apache.struts.action.SecurePlugIn">
<set-property property="httpPort" value="8080"/>
<set-property property="httpsPort" value="8443"/>
<set-property property="enable" value="true"/>
<set-property property="addSession" value="true"/>
</plug-in>

4. Add the following taglib in web.xml file

<taglib>
<taglib-uri>/WEB-INF/struts-tiles.tld</taglib-uri>
<taglib-location>/WEB-INF/struts-tiles.tld</taglib-location>
</taglib>

5. Add the following the < action-mappings ……….> </action-mappings> tag

<action-mappings type="org.apache.struts.config.SecureActionConfig">

6. Add the following entry in <action ………………> </action> tag , before


<forward>tag

<set-property property="secure" value="true"/>

Controlling From Front End: This model is useful only when we are using the sessions
through out the application.
By getting the session object the JSP page by writing a scriplet. If it is executing without
any URL copying it will continue. If we copy the URL in to another browser, then session
object become null, if session object is null then we are forwarding it to login page.

To work using above solution : add the following code in the JSP page

function validate()
{
if(document.getElementById(‘user’).value==”null”)
parent.location.href(‘index.html’);
}

<body onload=”validate();”>

<% String username=(String)session.getAttribute(“UserName”);%>


<input type=text value=”<%=username%> id=”user” style=”display:none”>

APPLIING FILTERS:
I think this is also another approach. Presently testing using filters sir

We Completely worked on Controlling From Frond End , it is almost successful for all
type users except for slssvr. For this user if we copy the url and pasting to another
browser it is displaying the page differently.

Using Security Constraint : it is always ask for user name and password that we gave in
tomcat-users.xml . if we copy url and pasted in another page.

And we are trying to implement SSL for Servlets/JSP based web application also.

You might also like