1/02/2011

Simple webapp with FORM authentication and SSL

This post is similar to Simple webapp with BASIC authentication, except that this one uses form-based authentication and ssl. The required steps are as follows:

(1) configure roles and other security aspects in web.xml;

(2) administratively create the users in application server;

(3) map the roles declared in step 1 to users created in step 2, with appserver-specific descriptor;

(4) create login form for entering username and password, and error form for displaying after failed login.

This test webapp contains the servlet class, web.xml, sun-web.xml, login.html, and error.html:

TestServlet.java:
--------------------

package test;

import java.io.*;
import javax.servlet.*;
import javax.servlet.http.*;

public class TestServlet extends HttpServlet {
protected void processRequest(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
PrintWriter out = response.getWriter();
out.println("Hello from " + getServletName());
}

@Override
protected void doGet(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
processRequest(request, response);
}

@Override
protected void doPost(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
processRequest(request, response);
}
}
web.xml:
-----------
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
version="3.0">
<servlet>
<servlet-name>TestServlet</servlet-name>
<servlet-class>test.TestServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>TestServlet</servlet-name>
<url-pattern>/TestServlet</url-pattern>
</servlet-mapping>

<security-constraint>
<web-resource-collection>
<web-resource-name>secure</web-resource-name>
<url-pattern>/TestServlet</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>tester</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>

<login-config>
<auth-method>FORM</auth-method>
<realm-name>file</realm-name>
<form-login-config>
<form-login-page>/login.html</form-login-page>
<form-error-page>/error.html</form-error-page>
</form-login-config>
</login-config>

<security-role>
<role-name>tester</role-name>
</security-role>
</web-app>
sun-web.xml:
----------------
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE sun-web-app PUBLIC "-//Sun Microsystems, Inc.//DTD GlassFish Application Server 3.0 Servlet 3.0//EN" "http://www.sun.com/software/appserver/dtds/sun-web-app_3_0-0.dtd">
<sun-web-app>
<security-role-mapping>
<role-name>tester</role-name>
<principal-name>joe</principal-name>
<group-name>user</group-name>
</security-role-mapping>
</sun-web-app>
login.html:
-------------
<html>
<head>
<title>Login Form</title>
</head>
<body>
<form method="POST" action="j_security_check" >
<p>username: <input type="text" name="j_username" ></p>
<p>password: <input type="password" name="j_password" ></p>

<p>
<input type="submit" value="Submit" >
<input type="reset" value="Reset" >
</p>
</form>
</body>
</html>

error.html:
-------------
<html>
<head>
<title>Invalid user name or password</title>
</head>
<body>
<a href="login.html">Login again</a>
</body>
</html>

To create the user in GlassFish (this is the user name and password that will be entered when running it):
$ $GLASSFISH_HOME/bin/asadmin create-file-user --group user joe
Compile TestServlet class and jar up *.class, *.html and *.xml into a test.war:
WEB-INF/classes/test/TestServlet.class
WEB-INF/sun-web.xml
WEB-INF/web.xml
error.html
login.html
Copy it to $GLASSFISH_HOME/domains/domain1/autodeploy directory to deploy it. To run it go to the url http://localhost:8181/test/TestServlet. After entering the username and password, the following response is displayed:
Hello from TestServlet
If the wrong user name / password is entered, error.html will be displayed with a link to login.html for retry. 8181 is the default ssl port in GlassFish. If you use the non-secure port number 8080 in the test url, GlassFish will automatically redirect to 8181. The browser may display a warning since a self-signed cert (as opposed to one issued by certificate authority) is used to identify the GlassFish server.