Form Based Authentication

﹥>﹥吖頭↗ 提交于 2019-12-11 20:34:03

问题


I have experience programming Java Applications but never any Web Apps so xml is relatively new to me. I've learned quite a bit in my research but I'm currently stumped and hopefully you all can help me out.

Context: The company I work for hired a contractor to develop software for inventory. The developer chose to create a web app on the company's intranet (not connected to Internet at all). Several months and a handful of revisions down the road, the developer quit working on the project for unknown reasons (to me, at least). So here I am using a .war file to reverse engineer and then finish the project!

I've configured Tomcat and MS SQL Server and all connections are good according to Netbeans. I can deploy the app but here is where I get stuck. The index.jsp contains a login.jsp. Looking at the code for these pages has me confused.

As best I can tell, the developer was going for Form Based Authentication so that user roles are determined at login. I don't understand how this code redirects to any page at all, much less does anything:

<form method="POST" action='<%= response.encodeURL("j_security_check") %>' >
    <table border="0" cellspacing="5">
    <tr>
        <td>
            Username:<br>
            <input type="text" name="j_username" style="width: 200px;">
        </td>
    </tr>
    <tr>
        <td>
            Password:<br>
            <input type="password" name="j_password" style="width: 200px;">
        </td>
    </tr>
    <tr>
        <td><br></br><input type="submit" value="Log In" class="buttonStyle"> <input type="reset" class="buttonStyle"></td>
    </tr>
    </table>
</form>

Specifically, what tells the app that a login is good or bad? What handles the events when the buttons are clicked?

I appreciate your patience and help!


回答1:


Take a read through the Java Servlet Specification, specifically section 13.6.3. Reading a spec sounds scary, but the Java Servlet Spec is one of the most readable I've ever read: it's meant to be read by programmers and not by lawyers.

The quick summary is that when a user tries to access a protected page (and haven't yet authenticated), they are presented with the login page. The "submit" button posts the username and password to the servlet container (Tomcat) which performs the authentication (checks the username/password) and either goes back to the login page (if the username/password were incorrect) or redirects the user back to the protected page they originally requested.

There's some stuff going on here that isn't obvious because the container (Tomcat) is handling it for you. Reading the spec -- the whole thing, actually -- will give you great insight into how everything works and will make you much better prepared to babysit this code you've inherited.

Update 2014-10-22 13:45 EDT

To determine the type of authentication that is being performed, you need to look for a <Realm> element in your web applications' META-INF/context.xml file, or in Tomcat's conf/server.xml, nested inside your web application's <Context> element. It will indicate the type of realm being used (usually "Memory" which is for conf/tomcat-users.xml, or DataSource/JDBC which indicate that the authentication information is in a relational database, etc.).

None of the "realm" stuff is covered by the spec. For that, you'll have to refer to the Tomcat documentation, or join the Tomcat users' list and the community in general.



来源:https://stackoverflow.com/questions/26434320/form-based-authentication

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!