WebLogic Server 6.0.0 Code Examples, BEA Systems, Inc.

Package examples.webapp.security

This example demonstrates a simple Web Application that uses authentication to restrict access to a specific directory.

See:
          Description

Web Application Security Example File Summary
welcome.jsp Configured as the welcome file for the security Web Application.
admin/edit.jsp This page is configured in web.xml with a security constraint. Only users with the appropriate authentication can access the admin directory of the Security Web Application.
login.jsp Presents the form used to authenticate the user. This page is configured in web.xml to be presented whenever an unauthorized user attempts to access the admin/edit.jsp, which is protected by a security constraint.
logout.jsp Presented when the user logs out.
fail_login.html Error page configured in web.xml to be presented on a failed login in attempt.
WEB-INF/web.xml Web Application deployment descriptor. The descriptor configures access to the admin directory of the Security Web Application.
 

Package examples.webapp.security Description

This example demonstrates a simple Web Application that uses authentication to restrict access to a specific directory. This examples also demonstrates how to deploy a Web Application in an expanded directory structure.

Perform the following steps in order to build and run the example:

  1. Configure the server
  2. Run the example

Configure the Server

This example is already shipped in Web Application expanded directory format at samples/examples/webapp/security. The following steps configure this directory as a Web Application and sets the Users and Groups in the WebLogic Realm.
  1. Start the server with the examples configuration in a new command shell.
  2. Bring up the Administration Console in your browser.
  3. Click to expand the Deployments node in the left-hand pane.
  4. Click to expand the Web Applications node in the left-hand pane.
  5. Select the security node.
  6. Select the Targets tab in the right-hand pane to display the Available and Chosen targets.
  7. Deploy the security Web Application on the examplesServer.
  8. Click to expand the Security node in the left-hand pane.
  9. Select the Users node and add the following users:
    NamePassword
    Billweblogic1
    Benweblogic2
  10. Select the Groups node in the left-hand pane.
  11. Click on Create a new Group in the right-hand pane.
  12. Create an "admin" group and add "Bill" to this group.

Run the Example

  1. Load the security Web Application into a browser using a URL such as:
      http://hostname:port/security
    where:
    hostname
    Host name of the WebLogic Server
    port
    Port where the WebLogic Server is listening for connections

    The Web Application has been configured to serve the welcome page "welcome.jsp" when the root directory is requested. You can see this configured in the WEB-INF/web.xml file shown below:

      <welcome-file-list>
          <welcome-file>welcome.jsp</welcome-file>
      </welcome-file-list>

  2. When you first visit any page in this Web Application, you will not be logged in. If you click on the Configure background link, you will attempt to access the admin/edit.jsp page. Access to all pages under the /admin directory is configured in the web.xml deployment descriptor using the following element:
        <security-constraint>
            <web-resource-collection>
                <web-resource-name>AdminPages</web-resource-name>
                <description>
                    These pages are only accessible by authorised administrators.
                </description>
                <url-pattern>/admin/*</url-pattern>
                <http-method>GET</http-method>
            </web-resource-collection>
            <auth-constraint>
                <description>
                    These are the roles who have access
                </description>
                <role-name>
                    admin
                </role-name>
            </auth-constraint>
            <user-data-constraint>
                <description>
                    This is how the user data must be transmitted
                </description>
                <transport-guarantee>NONE</transport-guarantee>
            </user-data-constraint>
        </security-constraint>
    

    This restricts access to these pages to anyone outside of the admin role, as defined in the WebLogic security realm.

    Because you are not logged in, you will be presented with the login page. This behavior is configured in the web.xml deployment descriptor with the following element:

      <login-config>
          <auth-method>FORM</auth-method>
          <form-login-config>
              <form-login-page>/login.jsp</form-login-page>
              <form-error-page>/fail_login.html</form-error-page>
          </form-login-config>
      </login-config>
    
    Here, we configure the Web Application to use a FORM based login method. This is an alternative to BASIC authorization, where we can provide our own custom web page to prompt the user for login credentials using a simple HTML <form>. The login page is specified as login.jsp. This page must use a specific form, action, and field names, as defined by the Servlet2.2 specification. You can copy this simple form to create your own pages, and customize them to the same look and feel as your web site.

    The element <realm-name> is omitted here, so the default realm is used. We added two users, Bill and Ben earlier.

  3. Enter username Ben with password weblogic2 and press submit. You should be logged in and see the welcome page. Click on the Configure background link to attempt to access the edit.jsp page. You are denied access since you do not have 'admin' privileges.

  4. Click on the 'logout' link. This action invokes the logout.jsp page, which invalidates the current session and effectively logs out the current user. On this page, you may revisit the Web Application, but you will need to log back in to gain access to any page.

    Log in again, this time, as Bill using the password weblogic1. Bill belongs to the admin group and should be able to access the Configure background page.

There's More...


Documentation is available at
http://e-docs.bea.com/wls/docs60/

Copyright © 2000 BEA Systems, Inc. All rights reserved.