Acegi Security in one hour

A concise guide to securing your Java Web applications

1 2 3 4 5 6 7 Page 5
Page 5 of 7

Coding the Web pages

Now, in five steps, you'll do some JSP coding to implement form-based authentication in the Web application:

Step 1. Create the login page, using the contents of Listing 15.

Listing 15. Login JSP

<%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core" %>
<%@ page import="org.acegisecurity.ui.AbstractProcessingFilter" %>
<%@ page import="org.acegisecurity.ui.webapp.AuthenticationProcessingFilter" %>
<%@ page import="org.acegisecurity.AuthenticationException" %>
<%@ taglib prefix="s" uri="/struts-tags" %>


<html>
  <head>
  <script>
  function focusUserName(){

  document.forms[0].j_username.focus();
  }

  </script>
    <title>Login</title>
      <c:set var="ctx" value="${pageContext.request.contextPath}"/>
  <link href="${ctx}/styles/global.css" type="text/css" rel="stylesheet"/>
  <link href="${ctx}/images/favicon.ico" rel="SHORTCUT ICON"/>

  </head>
 

  <body onload="focusUserName()">
    <%-- this form-login-page form is also used as the
         form-error-page to ask for a login again.
         --%>
  <div id="container">  
 
    <div id="intro">
   
      <div id="image">          
      </div>
       
      <div id="gap">
      </div>
      <br><br><br><br><br>

    <form action="<c:url value='j_acegi_security_check'/>" method="POST">
      <table width=50% border=0 align="center">
    <c:if test="${not empty param.login_error}">
      <tr><td colspan=2><font color="red">
        Your login attempt was not successful, try again.<BR>
        Reason: <%= ((AuthenticationException) session.getAttribute(AbstractProcessingFilter
        .ACEGI_SECURITY_LAST_EXCEPTION_KEY)).getMessage() %>
      </font></td></td>
    </c:if>

        <tr><td>User:</td>
        <td>
        <input type='text' name='j_username'
        <c:if test="${not empty param.login_error}">
        value='<c:out value="${ACEGI_SECURITY_LAST_USERNAME}"/>'
        </c:if>>
        </td></tr>
        <tr><td>Password:</td><td><input type='password' name='j_password'></td></tr>
        <tr><td><input type="checkbox" name="_acegi_security_remember_me"></td>
        <td>Don't ask for my password for two weeks</td></tr>

        <tr><td colspan='2'><input name="submit" type="submit">  
        <input name="reset" type="reset" value="Clear"></td></tr>
        <!--tr><td colspan='2'></td></tr-->
      </table>
    </div>
    </div>
    </form>

  </body>
</html>

The login form is submitted to j_acegi_security_check for authentication.

Step 2. If authentication is successful, the request is forwarded to the application's home page (index.jsp).

Listing 16. index.jsp

<html>

<body>
<p><a href="secure/createOrder.jsp">Create Order</a>
<p><a href="secure/authoriseOrder.jsp">Authorise Order</a>
</body>
</html>

Step 3. If the user doesn't have access to certain page, the accessDenied.jsp page, shown in Listing 17, is displayed.

Listing 17. accessDenied.jsp

<html>
<body>
<h1>Access Denied.</h1>

</body>
</html>

Step 4. Users with the ROLE_TECHNICIAN role can create orders via createOrder.jsp, shown in Listing 18. This functionality is not available for users with the ROLE_ADMIN role.  

Listing 18. order/createOrder.jsp

<%@ page import="org.acegisecurity.context.SecurityContextHolder" %>
<html>
<head/>
<body>
<h1>Welcome: <%= SecurityContextHolder.getContext().getAuthentication().getName() %></h1>
<p><a href="/">Home</a>

<p><a href="/j_acegi_logout">Logout</a>
<Create Order screen content goes here>
...
...
</body>
</html>

Step 5. Conversely, users with the ROLE_ADMIN role can authorize the created order, using authorizeOrder.jsp (shown in Listing 19). This functionality isn't available for users with the ROLE_TECHNICIAN role.

Listing 19. order/authorizeOrder.jsp

<html>
<head/>
<body>
<%@ page import="org.acegisecurity.context.SecurityContextHolder" %>
<h1>Welcome: <%= SecurityContextHolder.getContext().getAuthentication().getName() %> is an Admin</h1>

<p><a href="/">Home</a>
<p><a href="/j_acegi_logout">Logout</a>
<Authorise Order screen content goes here>
...
...
</body>
</html>


You can test the configuration by logging in first as james and then as smith. Because james has the ROLE_TECHNICIAN role, he can access createOrder.jsp. But when he tries to access authorizeOrder.jsp, he gets the accessDenied.jsp page. On the other hand, smith can access authorizeOrder.jsp but can't access createOrder.jsp, because she belongs to the ROLE_ADMIN role.

1 2 3 4 5 6 7 Page 5
Page 5 of 7