I wanted to figure out how to secure web application that is deployed in Jetty. Basic idea was i did create a UserServlet when user tries to access it he should be prompted for basic authentication and once user logs in check if he has admin role if yes then display "You have reached secure call" message, You can download the sample application from
here
This screen shot represents when user gets basic authentication prompt
This is screen shot of screen that is displayed to the user after successful login
I followed these steps to create the secured web application
- First i did create a UserServlet.java like this
package com.webspherenotes.rest;
import java.io.IOException;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
public class UserServlet extends HttpServlet{
@Override
protected void doGet(HttpServletRequest req, HttpServletResponse resp)
throws ServletException, IOException {
resp.setContentType("text/html");
resp.getWriter().println("You have reached secure call");
}
}
This servlet has only doGet() method and when it gets control it writes You have reached secure call
message in the output
-
Next i changed the web.xml to protect the UserServlet so that it looks like this
<!DOCTYPE web-app PUBLIC
"-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN"
"http://java.sun.com/dtd/web-app_2_3.dtd" >
<web-app>
<display-name>Archetype Created Web Application</display-name>
<servlet>
<servlet-name>User</servlet-name>
<servlet-class>com.webspherenotes.rest.UserServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>User</servlet-name>
<url-pattern>/user</url-pattern>
</servlet-mapping>
<security-constraint>
<web-resource-collection>
<web-resource-name>user</web-resource-name>
<url-pattern>/user</url-pattern>
<http-method>GET</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>ADMIN</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>Default</realm-name>
</login-config>
<security-role>
<role-name>ADMIN</role-name>
</security-role>
</web-app>
The security-constraint
element says that protect GET
calls to /user
url and allow only those users who have ADMIN
user right to access the servlet. The login-config
element defines Default
as realm name
- Next change the maven build file to configure
maven-compiler-plugin
so that it uses login service
<build>
<finalName>JettySecurity</finalName>
<plugins>
<plugin>
<groupId>org.mortbay.jetty</groupId>
<artifactId>jetty-maven-plugin</artifactId>
<version>7.4.5.v20110725</version>
<configuration>
<scanIntervalSeconds>10</scanIntervalSeconds>
<webAppConfig>
<contextPath>/JettySecurity</contextPath>
</webAppConfig>
<loginServices>
<loginService implementation="org.eclipse.jetty.security.HashLoginService">
<name>Default</name>
<config>${basedir}/src/main/resources/realm.properties</config>
</loginService>
</loginServices>
<connectors>
<connector implementation="org.eclipse.jetty.server.nio.SelectChannelConnector">
<port>9000</port>
<maxIdleTime>60000</maxIdleTime>
</connector>
</connectors>
</configuration>
</plugin>
</plugins>
</build>
The loginService
element asks Jetty to use list of users and passwords from ${basedir}/src/main/resources/realm.properties
file to authenticate users
- Next create realm.properties file which looks like this
guest:guest
admin:admin,ADMIN
This file has only 2 users first is guest and second is admin the admin user has ADMIN role.
Now if you deploy the application by executing
mvn jetty:run
and then try accessing
http://localhost:9000/JettySecurity/user
URL you will get prompted for login. If you login as admin, admin then you should be able to access the UserServlet. But if you login as guest then you should see this error page
nice artikel :D
ReplyDeleteAcer Drivers
Nice post and great content.
ReplyDeleteAvast Customer Support is here to help you out with the whole procedure to Download Avast Antivirus online, We not only fix your Avast Support related issues but will guide with how to get started with your new Avast product once it gets installed successfully. We at Avast Tech Support provides service to protect your PC from potential online threats and external attacks like viruses, Trojans, malwares, spywares and phishing scams. And Avast Refund. Call on our Avast Phone Number
Gmail Customer service is a third party technical support service for Gmail users when they face any technical issue or error in their Gmail account. Our Gmail Customer Support team solves issues like forgot Gmail account password, Gmail configuration or Sync issues, recover deleted emails and many more. Toll Free number (800) 986-9271
How you install or reinstall Office 365 or Office 2016 depends on whether your Office product is part of an Office for home or Office for business plan. If you're not sure what you have, see what office com setup products are included in each plan and then follow the steps for your product. The steps below also apply if you're installing a single, stand-alone Office application such as Access 2016 or Visio 2016. Need Help with office setup Enter Product Key? Call 1-800-000-0000 Toll Free
Norton Tech Support is a third party service provider and not in any way associated with Norton or any of its partner companies. We offer support for Norton products and sell subscription based additional warranty on computer and other peripheral devices. Call our Toll Free number 1 855 966 3855
Other Services
Norton Toll Free , Office-Setup , office.com/setup.
Nice blog Thank you
ReplyDeleteweb design company in bangalore
website design company in bangalore
best web design company in bangalore