3

Update: The code works correctly when the <auth-constraint> element is removed completely. Can anyone explain why it doesn't work when present?

I'm writing some code to practice securing a servlet in the deployment descriptor, and I'm getting the following in the browser:

HTTP Status 403 - Access to the requested resource has been denied
type Status report
message Access to the requested resource has been denied
description Access to the specified resource has been forbidden.
Apache Tomcat/7.0.42

Any thoughts as to what I'm doing wrong? I've done some searching through prior posts, and it seems as though there may have been updates to the role names in Tomcat 7 - I've played with this, but with no success so far. (Code below).

web.xml

<?xml version="1.0" ?>
<web-app version="2.4" xmlns="http://java.sun.com/xml/ns/j2ee" 
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee    
http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd">

<servlet>
    <servlet-name>CheckedServlet</servlet-name>
    <servlet-class>webcert.ch05.ex0502J.CheckedServlet</servlet-class>
    <security-role-ref>
        <role-name>MGR</role-name>
        <role-link>manager</role-link>
    </security-role-ref>
</servlet>
<servlet-mapping>
    <servlet-name>CheckedServlet</servlet-name>
    <url-pattern>/CheckedServlet</url-pattern>
</servlet-mapping>
<security-constraint>
    <web-resource-collection>
        <web-resource-name>CheckedServletConstraint</web-resource-name>
        <url-pattern>/CheckedServlet</url-pattern>
    </web-resource-collection>
    <auth-constraint>
        <role-name>*</role-name>
    </auth-constraint>
</security-constraint>
<security-role>
    <role-name>manager</role-name>
</security-role>

CheckedServlet.java

package webcert.ch05.ex0502J;
import java.io.*;
import javax.servlet.*;
import javax.servlet.http.*;
import java.security.*;

public class CheckedServlet extends HttpServlet{

protected void doPost(HttpServletRequest request, HttpServletResponse response) 
        throws ServletException, IOException {
    doGet(request, response);
}
protected void doGet(HttpServletRequest request, HttpServletResponse response)
        throws ServletException, IOException{

    response.setContentType("text/html");
    PrintWriter out = response.getWriter();
    out.write("<html><head><title>CheckedServlet</title></head><body>");

    String userMessage;
    Principal user = request.getUserPrincipal();
    if(user == null)
        userMessage = "Access denied.";
    else
        userMessage = "Access granted.";

    out.write("<br>" + userMessage + " Principal name is " + user +
              "<br>If authorized, you should see some more text below:");

    if(request.isUserInRole("manager"))
        out.write("<br>Here's some super secret extra text since your " +
                "role is manager.");

    out.write("</body></html>");
    out.flush();
    out.close();
}
}
kenorb
  • 155,785
  • 88
  • 678
  • 743
Jeff Levine
  • 2,083
  • 9
  • 30
  • 38
  • Hello Jeff, were you able to find the cause? I have noticed the same issue on my box as well. I would really appreciate if you could share it here. Thank you. – Tariq Nov 06 '13 at 19:36
  • Hi Tariq - no luck as of yet. I asked the question in the context of studying for the OCWCD exam, so I've since moved on to other topics. I plan to revisit on my next pass through the text, and I'll definitely post if I find an answer. – Jeff Levine Nov 08 '13 at 00:33
  • possible duplicate of [How to fix Tomcat HTTP Status 403: Access to the requested resource has been denied?](http://stackoverflow.com/questions/5808206/how-to-fix-tomcat-http-status-403-access-to-the-requested-resource-has-been-den) – kenorb Apr 08 '15 at 21:53

3 Answers3

4

If you enable security for you web application (as you have done by adding the <security-constraint> clause to web.xml), you also need to define corresponding users/roles/passwords in tomcat-user.xml. This file is usually located in the conf folder of the tomcat installation. Here are the sample lines that you can add to your installation's tomcat-user.xml file:

<role rolename="MGR"/>  
<user password="mypassword" roles="MGR" username="user1"/>
<user password="mypassword2" roles="MGR" username="user2"/>

Now, when you access your application, instead of getting the status 403 error message, your application will instead prompt you to enter a userid / password using HTTP Basic Auth. You should then be able to successfully login if you use one of the above userids.

Alan C. S.
  • 14,718
  • 2
  • 20
  • 16
2

You need to add the following in your web.xml:

<login-config>
  <auth-method>BASIC</auth-method>
</login-config>

and then you also edit your tomcat-user.xml to add the role and user name. Re-deploy the application after these and this problem should be gone.

kenorb
  • 155,785
  • 88
  • 678
  • 743
Anindya Mukherjee
  • 97
  • 1
  • 5
0

The two remarks from the other members where correct. To summarize the points of adding a role, a login-config and a corresponding user config of the tomcat you may have a look at this post:

How to fix Tomcat HTTP Status 403: Access to the requested resource has been denied?

Community
  • 1
  • 1
Frank Essenberger
  • 335
  • 1
  • 7