After R& D on Security Constraint, SSL, and Front End Control using Sessions

Using Security Constraint in Web.xml file

1. Edit tomcat-users.xml file in Tomcat \ confi director by adding the following

entries.

<tomcat-users>
----------------------
-------------------------
<role rolename = “fsl”/>
<role rolename = “sls”/>
<role rolename = “bck”/>

<user name = “fcms” password =”fcms” roles =”fls, sls, bck” />

2. Coming to the Deployment Descriptor (web.xml) file

1. In netbeans 5.5 of open web.mxl file of the web application

2. Select Security Tab in that

Expand Security Roles and Add Roles such as fls, sls, bck

3. Add then click the Add Security Constraint

a. Display Name : some name

b. Web Resources Collection – Resource Name : LoginRestrict
c. url pattern - /*.jsp
d. methods : GET / POST or Select all Methods

4. Enable Authnetication Constraint

a. Click the Button Edit , it will opens Edit Role Names
b. Now select each Role and Add ( Roles that we addes in Security Role)

5. Enable User Data Constraint

a. Select Transport Guarantee to : NONE or CONFIDENTIAL
Documentation for SSL ( in our perspective, our conclusion is , it is useful for Struts
based Web Application only )

Required : 1. sslext.jar, sslext.tld files

1. We have to place sslext.jar in our Libraries

2. We have to place sslext.tld in WEB-INF

3. Add the following Plug-in in Struts-Config.xml file

<!-- ========================= SSL plugin ==================== -->

<plug-in className="org.apache.struts.action.SecurePlugIn">
<set-property property="httpPort" value="8080"/>
<set-property property="httpsPort" value="8443"/>
<set-property property="enable" value="true"/>
<set-property property="addSession" value="true"/>
</plug-in>

4. Add the following taglib in web.xml file

<taglib>
<taglib-uri>/WEB-INF/struts-tiles.tld</taglib-uri>
<taglib-location>/WEB-INF/struts-tiles.tld</taglib-location>
</taglib>

5. Add the following the < action-mappings ……….> </action-mappings> tag

<action-mappings type="org.apache.struts.config.SecureActionConfig">

6. Add the following entry in <action ………………> </action> tag , before

<forward>tag

<set-property property="secure" value="true"/>

Controlling From Front End: This model is useful only when we are using the sessions
through out the application.
By getting the session object the JSP page by writing a scriplet. If it is executing without
any URL copying it will continue. If we copy the URL in to another browser, then session
object become null, if session object is null then we are forwarding it to login page.

To work using above solution : add the following code in the JSP page

function validate()
{
if(document.getElementById(‘user’).value==”null”)
parent.location.href(‘index.html’);
}

<body onload=”validate();”>

<% String username=(String)session.getAttribute(“UserName”);%>

<input type=text value=”<%=username%> id=”user” style=”display:none”>

APPLIING FILTERS:
I think this is also another approach. Presently testing using filters sir

We Completely worked on Controlling From Frond End , it is almost successful for all
type users except for slssvr. For this user if we copy the url and pasting to another
browser it is displaying the page differently.

Using Security Constraint : it is always ask for user name and password that we gave in
tomcat-users.xml . if we copy url and pasted in another page.

And we are trying to implement SSL for Servlets/JSP based web application also.