This Bugzilla instance is a read-only archive of historic NetBeans bug reports. To report a bug in NetBeans please follow the project's instructions for reporting issues.
I've been following the below tutorial, but running into problems: http://www.netbeans.org/kb/articles/security-webapps.html#Basic_login_config First of all, there is no indication that the user should add the JSTL 1.1 library to the libraries. (I was able to figure this out and get past this step) After finishing the coding section, I ran the demo (on Tomcat). Unfortunatly, I was unable to log in. After a few attempts which returned errors that I could not be recognized, I apparently typed in a user name that is did recognize, but which had invalid permissions. Unfortunately, there seems to be no way to log out. As a result, I seem to only be able to generate '403 - Access to resource denied' messages. How do I log out? Why are the user names 'Admin' and 'User' when they are apparently listed in the tomcat-users.xml file as 'admin' and 'user'? Has this tutoial been tested on Tomcat?
cc'ing the tutorial author - Dan, can you comment ? Thanks.
Well. 1) JSTL is not needed at all, it's just one useless line more, than needed. Will correct it. 2) Log out could be done by different methods: a) Setting Session timeout to low number, so after defined time user is automatically logged out b) Use request.getSession().invalidate() c) Close the browser and open page in a new one 3) It doesn't depend on names, you just need 2 different users with 2 different roles. W/o any change in tomcat-users.xml you can use users "tomcat" and "role1" with their roles tomcat and role1. Then just add roles "tomcat" and "role1" Look on attached image. Whole idea of this security is based on realms, roles and users. Realm is defined on server and holds some users. Every user has at least one of predefined roles for this realm, which defines its general privileges. So web application send (realm)/user/password authentization request to server. Server tries to find user in defined realm (if no realm is send by web application, default realm is used). If authentization was successful, web application check users role with role of content he want to view. If roles match, page content is propagated, otherwise access to the resource is denied. 4) This tutorial has been tested on tomcat, and it works, as it should, but I agree, it could not be enough clear sometimes.
Created attachment 38436 [details] Security view
Removing meaningless "version"s for www issues.