0

I build a small java web application, where I need 2 user roles. The first one is the "admin" that I need to view/edit/update database data returned after a search form and the second one the "user", who can only view the returned results. To make it more clear, I have a login.jsp page, upon succesfull login I am redirected to search.jsp and after the search, if the logged user is admin, the results can be viewed, edited or deleted, otherwise if the logged user is user, the results can only be viewed. I have to implement it using j_sequrity_check and tomcat. My tomcat-users.xml file:

 <tomcat-users>
  <role rolename="admin"/>
  <role rolename="user"/>

  <user username="admin" password="admin" roles="admin"/>
  <user username="user" password="user" roles="user"/>

</tomcat-users>

My simple login.jsp

<!DOCTYPE html>
<html>
    <head>
        <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
        <title>JSP Page</title>
    </head>
    <body>
        <form action="j_security_check" method="POST">
           Username:<input type="text" name="j_username"><br>
           Password:<input type="password" name="j_password">
           <input type="submit" value="Login">
        </form>
    </body>
</html>

And I cannot find how to set the web.xml so as after the login, I am redirected to search.jsp for both admin and user, but having after the search a page adminresults.jsp for the admin and a different userresults.jsp for the user.

<?xml version="1.0" encoding="UTF-8"?>
<web-app id="tomcat-demo" version="2.4"
    xmlns="http://java.sun.com/xml/ns/j2ee"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd">
    <servlet>
        <servlet-name>TestServlet</servlet-name>
        <servlet-class>test.TestServlet</servlet-class>
    </servlet>
    <servlet-mapping>
        <servlet-name>TestServlet</servlet-name>
        <url-pattern>/test</url-pattern>
    </servlet-mapping>

    <security-constraint>
        <web-resource-collection>
            <web-resource-name>java app login</web-resource-name>
            <url-pattern>/*</url-pattern>
            <http-method>GET</http-method>
            <http-method>POST</http-method>
        </web-resource-collection>

        <auth-constraint>
            <role-name>admin</role-name>
            <role-name>user</role-name>
        </auth-constraint>

        <user-data-constraint>
            <!-- transport-guarantee can be CONFIDENTIAL, INTEGRAL, or NONE -->
            <transport-guarantee>CONFIDENTIAL</transport-guarantee>
        </user-data-constraint>
    </security-constraint>

    <login-config>
        <auth-method>FORM</auth-method>
        <form-login-config>
            <form-login-page>/search.html</form-login-page>
            <form-error-page>/login-failed.html</form-error-page>
        </form-login-config>
    </login-config>
</web-app>

Thank you in advance for your time.

user3451793
  • 33
  • 1
  • 6

1 Answers1

1

You cannot do this in the web.xml. You have to write the logic yourself in either a filter or a servlet.

Use the request object the check if a user has a specific role:

public void doGet(HttpServletRequest request, HttpServletResponse response) 
    throws IOException, ServletException{


    if (request.isUserInRole("admin")) {
        response.sendRedirect("adminresult.html");
    } else if (request.isUserInRole("user")){
        response.sendRedirect("userresult.html");
    }
}
Erwin de Gier
  • 632
  • 7
  • 12
  • Let us know if it worked for you and accept this answer if it does. – Erwin de Gier Mar 18 '15 at 19:22
  • Sorry, it did not work i still search.. It keeps recognizing only tomcat user, not admin or user that I set – user3451793 Mar 19 '15 at 19:26
  • There is a fault in your web.xml: /search.html should be /login.jsp. Now, when you navigate to search.html, the application takes you to login.html and you should login with admin or user. Then after you have submitted the search query and fetched the results, you can use the code in my answer to direct the user to the correct page, based on his role. – Erwin de Gier Mar 20 '15 at 07:42