95123 – Incomplete tutorial

This Bugzilla instance is a read-only archive of historic NetBeans bug reports. To report a bug in NetBeans please follow the project's instructions for reporting issues.

Bug 95123 - Incomplete tutorial

Summary: Incomplete tutorial

Status:	NEW

Alias:	None

Product:	www
Classification:	Unclassified
Component:	Obsolete (show other bugs)
Version:	5.x
Hardware:	All Windows XP

Importance:	P3 blocker (vote)
Assignee:	issues@www

URL:
Keywords:

Depends on:
Blocks:

Reported:	2007-02-09 18:20 UTC by kitfox
Modified:	2008-09-27 00:47 UTC (History)
CC List:	2 users (show)

See Also:
Issue Type:	DEFECT
Exception Reporter:

Attachments
Security view (32.99 KB, image/png) 2007-02-13 13:50 UTC, Dan Kolar	Details
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description kitfox 2007-02-09 18:20:12 UTC

I've been following the below tutorial, but running into problems:

http://www.netbeans.org/kb/articles/security-webapps.html#Basic_login_config

First of all, there is no indication that the user should add the JSTL 1.1
library to the libraries.  (I was able to figure this out and get past this step)

After finishing the coding section, I ran the demo (on Tomcat).  Unfortunatly, I
was unable to log in.  After a few attempts which returned errors that I could
not be recognized, I apparently typed in a user name that is did recognize, but
which had invalid permissions.  Unfortunately, there seems to be no way to log
out.  As a result, I seem to only be able to generate '403 - Access to resource
denied' messages.

How do I log out?  Why are the user names 'Admin' and 'User' when they are
apparently listed in the tomcat-users.xml file as 'admin' and 'user'?  Has this
tutoial been tested on Tomcat?

Comment 1 jcatchpoole 2007-02-12 11:57:17 UTC

cc'ing the tutorial author - Dan, can you comment ?  Thanks.

Comment 2 Dan Kolar 2007-02-13 13:49:46 UTC

Well.

1) JSTL is not needed at all, it's just one useless line more, than needed. Will
correct it.

2) Log out could be done by different methods:
a) Setting Session timeout to low number, so after defined time user is
automatically logged out
b) Use request.getSession().invalidate()
c) Close the browser and open page in a new one

3) It doesn't depend on names, you just need 2 different users with 2 different
roles. W/o any change in tomcat-users.xml you can use users "tomcat" and "role1"
with their roles tomcat and role1. Then just add roles "tomcat" and "role1"
Look on attached image.
Whole idea of this security is based on realms, roles and users.
Realm is defined on server and holds some users. Every user has at least one of
predefined roles for this realm, which defines its general privileges.
So web application send (realm)/user/password authentization request to server.
Server tries to find user in defined realm (if no realm is send by web
application, default realm is used). If authentization was successful, web
application check users role with role of content he want to view. If roles
match, page content is propagated, otherwise access to the resource is denied.

4) This tutorial has been tested on tomcat, and it works, as it should, but I
agree, it could not be enough clear sometimes.

Comment 3 Dan Kolar 2007-02-13 13:50:57 UTC

Created attachment 38436 [details]
Security view

Comment 4 jcatchpoole 2008-07-28 19:33:44 UTC

Removing meaningless "version"s for www issues.