|
WebLogic Server 6.0.0 Code Examples, BEA Systems, Inc. |
See:
Description
Web Application Security Example File Summary | |
welcome.jsp | Configured as the welcome file for the security Web Application. |
admin/edit.jsp | This page is configured in web.xml with a security constraint. Only users with the appropriate authentication can access the admin directory of the Security Web Application. |
login.jsp | Presents the form used to authenticate the user. This page is configured in web.xml to be presented whenever an unauthorized user attempts to access the admin/edit.jsp, which is protected by a security constraint. |
logout.jsp | Presented when the user logs out. |
fail_login.html | Error page configured in web.xml to be presented on a failed login in attempt. |
WEB-INF/web.xml | Web Application deployment descriptor. The descriptor configures access to the admin directory of the Security Web Application. |
This example demonstrates a simple Web Application that uses authentication to restrict access to a specific directory. This examples also demonstrates how to deploy a Web Application in an expanded directory structure.
Perform the following steps in order to build and run the example:
Name | Password |
Bill | weblogic1 |
Ben | weblogic2 |
http://hostname:port/securitywhere:
The Web Application has been configured to serve the welcome page "welcome.jsp" when the root directory is requested. You can see this configured in the WEB-INF/web.xml file shown below:
<welcome-file-list> <welcome-file>welcome.jsp</welcome-file> </welcome-file-list>
<security-constraint> <web-resource-collection> <web-resource-name>AdminPages</web-resource-name> <description> These pages are only accessible by authorised administrators. </description> <url-pattern>/admin/*</url-pattern> <http-method>GET</http-method> </web-resource-collection> <auth-constraint> <description> These are the roles who have access </description> <role-name> admin </role-name> </auth-constraint> <user-data-constraint> <description> This is how the user data must be transmitted </description> <transport-guarantee>NONE</transport-guarantee> </user-data-constraint> </security-constraint>
This restricts access to these pages to anyone outside of the admin role, as defined in the WebLogic security realm.
Because you are not logged in, you will be presented with the login page. This behavior is configured in the web.xml deployment descriptor with the following element:
<login-config> <auth-method>FORM</auth-method> <form-login-config> <form-login-page>/login.jsp</form-login-page> <form-error-page>/fail_login.html</form-error-page> </form-login-config> </login-config>Here, we configure the Web Application to use a FORM based login method. This is an alternative to BASIC authorization, where we can provide our own custom web page to prompt the user for login credentials using a simple HTML <form>. The login page is specified as login.jsp. This page must use a specific form, action, and field names, as defined by the Servlet2.2 specification. You can copy this simple form to create your own pages, and customize them to the same look and feel as your web site.
The element <realm-name> is omitted here, so the default realm is used. We added two users, Bill and Ben earlier.
Log in again, this time, as Bill using the password weblogic1. Bill belongs to the admin group and should be able to access the Configure background page.
|
Documentation is available at http://e-docs.bea.com/wls/docs60/ |