Using forms-based security validation in Tomcat

1 , overview

(1) Validation based on forms

Based on the secure authentication from the Tomcatserver, the data provided in form forms can be verified by the form, which enables the system developer to customize the user's Landing page and error page. The only difference between this verification method and the basic HTTP authentication method is that it can make landing and error pages according to the user's requirements.

by intercepting and checking the user's request, the user is checked to see if it has been created in the application system . Login Session . If not, the user is directed to the sign-in page of the authentication service. However , forms-based validation credentials in Tomcat are not protected and sent in plain text.

(2) Implementation in Tomcat

In Tomcat, users, user groups, and roles are specified in the XML configuration file (C:\jakarta-tomcat-5.0.19\conf\tomcat-users.xml), and we only need to provide a landing page with a name of J_ The form form for Security_check, a textbox named J_username and a passwordbox named J_password, and then/web-inf/ Configure in Web. XML to use Tomcat's default Jaas authentication.

The benefit of using JAAS validation is that the validation logic is detached from the page, and restricted access to the page is specified through the configuration in/web-inf/web.xml, without the need for custom filters.

(3) To achieve the security of the Web application, the Tomcat Web container performs the following steps:

When a protected web resource is accessed, determine whether the user is authenticated.

If the user is not certified, the user is required to provide a security trust by redirecting to the registration page defined in the deployment descriptor.

• Verify that the user's trust is valid based on the security area configured for the container.

L Determine if the authenticated user is authorized to access the Web resource defined in the deployment descriptor (XML).

2 , design steps

(1) write the login page and error handling page: See the page in the Formsafewebapp program

(2) The contents of the login page file are as follows

Form-based user authentication requires that you return an HTML form that includes a user name and password that corresponds to the user name and password elements that must be j_username and J_password, and that the form's action description must be j_security_ Check (actually a servlet). The specific operation of the form and the J_username and J_password names are defined in the servlet. When the form arrives at the server, it is confirmed by the internal Tomcat server security zone.

The resources that include this form can be an HTML page, a JSP page, or a servlet. You can define it in the <form-login-page> element . Forms-based authentication enables developers to customize the user interface for authentication. The Login-config tab project in Web. XML defines the type of authentication mechanism, the URI of the login, and the error page.

The following is the contents of the page:

<%@ page contenttype= "TEXT/HTML;CHARSET=GBK"%>

(3) Modify the Web. xml file
<?xml version= "1.0" encoding= "UTF-8"? ><! Doctypeweb-app Public "-//sun Microsystems, Inc.//dtd Web application2.3//en" "Http://java.sun.com/dtd/web-app_2_3.        DTD ><web-app> <welcome-file-list> <welcome-file>index.jsp</welcome-file> </welcome-file-list> <!--Security is active on entire directory---<security-constraint> &LT;DISPL Ay-name>tomcat Server formsecurity constraint</display-name> <web-resource-collection> <web-resou      Rce-name>protectedarea</web-resource-name> <description>a Page of loginsuccess</description> <url-pattern>/ProtectedDirOne/index.jsp</url-pattern> </web-resource-collection> <auth-cons Traint> <!--Anyone with one of the listedroles could access this area--and <role-name>admin</rol E-name> </auth-constraint> </security-constraint> <!--Login configuration uses forM-basedauthentication-<login-config> <auth-method>FORM</auth-method> <realm-name>to MCAT serverconfiguration form-based authentication area</realm-name> <form-login-config> &LT;FO      Rm-login-page>/login.jsp</form-login-page> <form-error-page>/Error.htm</form-error-page> </form-login-config> </login-config> <!--Security roles referenced by this webapplication--& Lt;security-role> <description> The role is administration </description> &LT;ROLE-NAME&GT;ADM In</role-name> </security-role></web-app>


(4) Configure the role of admin in the C:\jakarta-tomcat-5.0.19\conf\tomcat-users.xml file and the user name and password that match the admin role
(5) Execute this page
Enter the URL address of the protected page directly in the browser:
http://127.0.0.1:8080/FormSafeWebApp/ProtectedDirOne/, a page will appear asking for login.
In the form, enter the user name as admin (a user name set in the Tomcat-users.xml file earlier) with a password of 12345678. Then click "Submit" and the following page will appear

If the user name or password is entered incorrectly, the following page will appear, which is the error page

(6) Get the user name and entity name after the current login success in the page
Use the Getremoteuser () method in the request object to get the name of the user after the current login succeeds and the name of the entity after the current login succeeds with the Getuserprincipal () method.
Using forms-based security validation in Tomcat