Authentication Example
Authentication Example
If this client were a web service endpoint and not a JSP page, you could use annotations to
declare security roles and to specify which roles were allowed access to which methods.
However, there is no resource injection in JSP pages, so you cannot use annotations and must
use the equivalent deployment descriptor elements.
Deployment descriptor elements are described in
The following sample code shows the deployment descriptor used in this example of
form-based login authentication, which can be found in
tut-install/javaeetutorial5/examples/web/hello1_formauth/web/WEB-INF/web.xml.
<!-- FORM-BASED LOGIN AUTHENTICATION EXAMPLE -->
<?xml version=
"1.0" encoding="UTF-8"?>
<web-app xmlns=
"http://java.sun.com/xml/ns/javaee" version="2.5"
xmlns:xsi=
"http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation=
"http://java.sun.com/xml/ns/javaee
http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd
">
<display-name>hello1_formauth</display-name>
<servlet>
<display-name>index</display-name>
<servlet-name>index</servlet-name>
<jsp-file>/index.jsp</jsp-file>
</servlet>
<security-constraint>
<display-name>SecurityConstraint</display-name>
<web-resource-collection>
<web-resource-name>WRCollection</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>loginUser</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/logon.jsp</form-login-page>
<form-error-page>/logonError.jsp</form-error-page>
</form-login-config>
</login-config>
<security-role>
<role-name>loginUser</role-name>
Examples: Securing Web Applications
Chapter 30 · Securing Web Applications
871
