WCD-LAB @HOME 12

In this exercise, you will use role based security to restrict access to elements of a web application.

Task - Verify the Project Prior to Adding Security
1. Open the project SL314ml21abl in the d:\labs\student\exercises directory and run it. This is essentially the same as Lab 9. but without the filter. Verify that you can get to all the pages, and can log in or not as you choose.

Task • Configure Users in the GlassFish Server
1. Select the Services tab (second tab to the right of the Projects tab. at the top left of the NetBeans window).
2. Open the Servers tree element and right click the GlassFish Domain. Select View Admin Console from the popup menu.
3. When the admin console starts in your web browser, open the Tree on the left side of the window. Find the hierarchy: Common Tasks —> Configuration — Security —*■ Realms —* file, and click the file element.
4. The right hand pane shows the page Edit Realm. Click the button Manage Users just below this title.
5. Click the New button to add a user. Add the User IDs Alice and Maverick in each case, use the User ID (with the same capitalization) as the password.

Task - Assign Users to Roles
1. In the Projects tab. open the tree SL314ml21abl —*• Web Pages —* Web Inf. Right-click the sun-web.xml file and select edit.
2. In the editor pane at the right, select the Securin’ tab and click the button at the right Add Securin’ Role Mapping.
3. Edit the field Securin’ Role Name which currently contains the text rolel and change the role name to Users.
4. Click the button Add Principal and enter the user name Alice then click OK.
5. Type Control-S to save the file.

Task - MandateLogin Before Access
1. Right click on the project, and select New — Standard Deployment Descriptor (web. xml).
2. Select the Securin’ tab. then open the Login Configuration element and select the radio button for Basic.
3. Open the Securin’ Roles element, click the Add button, and enter Users, then click OK.
4. Open the Securin’ Constraints element (click the Add Securin’ Constraint button). Enter a resource name (TheConstraint is fine).
5. Click the Add button located just under the Name column heading in the Web Resource Collection block. In the dialog box that pops up. enter a resource name (MyResource will serve), then enter the URL Pattern /ApplicationController. Ensure that All HTTP methods is selected and then click OK.
6. Check the checkbox Enable Authentication Constraint, then click the Edit button to the right of Role Name(s). Select the role Users and click the Add — button. Click OK.

Task - Run the Application and Verify Login Requirement
1. Run the program, and verify that before you can reach either the Quote or Advertisement pages, you are forced to log in as Alice. You should be rejected from the pages if you login as Maverick, since this user was not added to the Users role.

Task - Pick Up the Username from the Environment
1. Edit the Application Controller sen'let so that it does not look for a username in the parameters, and does not provide a login operation.
2. In place of the old mechanism you just removed, extract the user name from the Principal object that can be found from the request.

Task - Modify the Application to Use Form-based login
1. Edit the login, jsp form that will be used to prompt for user login. This should submit to the action j_security_check. The user name field must be called j_username. Create a password field, which must be called j_password.
2. Arrange two buttons on the form. One should be of type submit and labeled Login. The other should be of type reset and labeled Clear.
3. Edit the web.xml file. Change the Login Configuration from Basic to Form. In both the fields for Form Login Page and Form Error Page, enter login.jsp.
4. Test that the application now uses the form you created for login, and that failed logins are also directed to the same login page.

Task - Provide a Logout Mechanism
1. To this point, there has been no proper way to logout once you are logged in. To provide for this, add a new operation Logout to the ApplicationController sen'let. When invoked, this should invoke the method session.invalidateQ. and dispatch back to the index, jsp page.
2. Add another option Logout to the index, jsp page.
3. Test that the application now allows a user-controlled logout operation.