How to fix Tomcat access to the requested resouce which has been denied?

Jeff Levine picture Jeff Levine · Aug 21, 2013 · Viewed 36k times · Source

Update: The code works correctly when the <auth-constraint> element is removed completely. Can anyone explain why it doesn't work when present?

I'm writing some code to practice securing a servlet in the deployment descriptor, and I'm getting the following in the browser:

HTTP Status 403 - Access to the requested resource has been denied
type Status report
message Access to the requested resource has been denied
description Access to the specified resource has been forbidden.
Apache Tomcat/7.0.42

Any thoughts as to what I'm doing wrong? I've done some searching through prior posts, and it seems as though there may have been updates to the role names in Tomcat 7 - I've played with this, but with no success so far. (Code below).

web.xml

<?xml version="1.0" ?>
<web-app version="2.4" xmlns="http://java.sun.com/xml/ns/j2ee" 
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee    
http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd">

<servlet>
    <servlet-name>CheckedServlet</servlet-name>
    <servlet-class>webcert.ch05.ex0502J.CheckedServlet</servlet-class>
    <security-role-ref>
        <role-name>MGR</role-name>
        <role-link>manager</role-link>
    </security-role-ref>
</servlet>
<servlet-mapping>
    <servlet-name>CheckedServlet</servlet-name>
    <url-pattern>/CheckedServlet</url-pattern>
</servlet-mapping>
<security-constraint>
    <web-resource-collection>
        <web-resource-name>CheckedServletConstraint</web-resource-name>
        <url-pattern>/CheckedServlet</url-pattern>
    </web-resource-collection>
    <auth-constraint>
        <role-name>*</role-name>
    </auth-constraint>
</security-constraint>
<security-role>
    <role-name>manager</role-name>
</security-role>

CheckedServlet.java

package webcert.ch05.ex0502J;
import java.io.*;
import javax.servlet.*;
import javax.servlet.http.*;
import java.security.*;

public class CheckedServlet extends HttpServlet{

protected void doPost(HttpServletRequest request, HttpServletResponse response) 
        throws ServletException, IOException {
    doGet(request, response);
}
protected void doGet(HttpServletRequest request, HttpServletResponse response)
        throws ServletException, IOException{

    response.setContentType("text/html");
    PrintWriter out = response.getWriter();
    out.write("<html><head><title>CheckedServlet</title></head><body>");

    String userMessage;
    Principal user = request.getUserPrincipal();
    if(user == null)
        userMessage = "Access denied.";
    else
        userMessage = "Access granted.";

    out.write("<br>" + userMessage + " Principal name is " + user +
              "<br>If authorized, you should see some more text below:");

    if(request.isUserInRole("manager"))
        out.write("<br>Here's some super secret extra text since your " +
                "role is manager.");

    out.write("</body></html>");
    out.flush();
    out.close();
}
}

Answer

Alan C. S. picture Alan C. S. · Oct 9, 2014

If you enable security for you web application (as you have done by adding the <security-constraint> clause to web.xml), you also need to define corresponding users/roles/passwords in tomcat-user.xml. This file is usually located in the conf folder of the tomcat installation. Here are the sample lines that you can add to your installation's tomcat-user.xml file:

<role rolename="MGR"/>  
<user password="mypassword" roles="MGR" username="user1"/>
<user password="mypassword2" roles="MGR" username="user2"/>

Now, when you access your application, instead of getting the status 403 error message, your application will instead prompt you to enter a userid / password using HTTP Basic Auth. You should then be able to successfully login if you use one of the above userids.