Home/ Questions/Q 5953765
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-22T17:52:22+00:00

I’m using declarative J2EE form based authentication in my webapp, following the instructions given

  • 0

I’m using declarative J2EE form based authentication in my webapp, following the instructions given in various places such as here: http://java.dzone.com/articles/understanding-web-security

It appears that the login via j_security_check allows all users within the realm to authenticate (log in), but doesn’t check their roles.
The authorization check seems only to be performed when the user accesses a page with a security constraint.

So in my app, a user is able to successfully log in because they’re in the realm, but then when they access a secure page they’re getting an ugly “Error 403: AuthorizationFailed” message.

Is there a way to limit authentication to users having a particular role? Or am I required to ensure that the user realm only contains users with the required role.

In terms of code, I have this declaration in my web.xml:

<login-config>
    <auth-method>FORM</auth-method>
    <realm-name>Simple</realm-name>
    <form-login-config>
        <form-login-page>/login.jsp</form-login-page>
        <form-error-page>/loginerror.jsp</form-error-page>
    </form-login-config>
</login-config>

But it doesn’t say anything about required roles, so any user navigating to login.jsp can login successfully if they’re in the ream.

Then, when the user accesses any of the pages matched by the url-pattern here:

<security-constraint>
    <display-name>Authorised</display-name>
    <web-resource-collection>
        <web-resource-name>Authenticated and Authorised Resources</web-resource-name>
        <url-pattern>/secure/*</url-pattern>
        <http-method>PUT</http-method>
        <http-method>GET</http-method>
        <http-method>POST</http-method>
    </web-resource-collection>
    <auth-constraint>
        <role-name>simpleWebAppUser</role-name>
    </auth-constraint>
    <user-data-constraint>
        <transport-guarantee>INTEGRAL</transport-guarantee>
    </user-data-constraint>
</security-constraint>

That’s when the roles are checked.

Role “simpleWebAppUser” is application wide, and I want to check that the user has this role before letting the log-in succeed.

I’m using WebSphere 7.0, configured to use the O/S user repository, on Windows XP/2000/2003.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Is there a way to limit authentication
    to users having a particular role?

    No. Authentication is the process of establishing identity, and not the process of enforcing access control checks. That’s how JAAS (and hence, the Java Servlet Specification) treats this topic; most other systems would also implement authentication in the similar manner.

    If you could modify the application to display the “secure page”, only if the user is in a particular role (the Servlet API allows for this via the isUserInRole method of the HttpServletRequest), then you would save yourself some heartburn (while implementing the advice listed below).

    Or am I required to ensure that the user
    realm only contains users with the
    required role.

    You could do that, if it is possible. However, you might also get around this problem, by writing your own JAAS LoginModule that successfully authenticates a user only when the user is also mapped to the required role (that your application code recognizes). You’ll also have to configure the application server and the web-application to use this login module.

    • 0