Tomcat 6, Securing the Admin Pages in web.xml

To the right of the top menu on the siark.com website is the ‘admin’ link that accesses the administration (create, update and delete) pages. The hierarchy of the pages are such that the admin pages are in a series of admin directories (the admin pages for the galleries are in /gallery/admin, the admin pages for the keywords are in /keyword/admin and so on). Therefore it is necessary to restrict access to any pages to all of the admin subdirectories. This restriction is done by specifying security settings in the web-xml

<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns="http://java.sun.com/xml/ns/javaee" 
	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
	xsi:schemaLocation="http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd" 
	version="2.5">
	<display-name>igallery</display-name>
	<welcome-file-list>
		<welcome-file>index.jsp</welcome-file>
	</welcome-file-list>
	<servlet>
		<servlet-name>igallery</servlet-name>
		<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
		<init-param>
			<param-name>contextConfigLocation</param-name>
			<param-value>
				/WEB-INF/igallery-servlet.xml
			</param-value>
		</init-param>
		<load-on-startup>1</load-on-startup>
	</servlet>
	<servlet-mapping>
		<servlet-name>igallery</servlet-name>
		<url-pattern>*.html</url-pattern>
	</servlet-mapping>
	<security-constraint>
		<web-resource-collection>
			<web-resource-name>Admin Security</web-resource-name>
			<url-pattern>/gallery/admin/*</url-pattern>
		</web-resource-collection>
		<auth-constraint>
			<role-name>myrole</role-name>
		</auth-constraint>
	</security-constraint>
	<login-config>
		<auth-method>BASIC</auth-method>
	</login-config>
	<security-role>
		<role-name>myrole</role-name>
	</security-role>
</web-app>

As I am using Tomcat 6, I can simply specify user and role information in the tomcat-users.xml file. To do this from the server instance in Eclipse, expand the ‘Servers’ directory in the ‘Project Explorer’, then expand the appropriate server, and you’ll see the file. There are sample roles and users in the file already. Create a role to match the role used in the web.xml file (in this case myrole).

<?xml version="1.0" encoding="UTF-8"?>
<tomcat-users>
	<role rolename="myrole" />
	<user username="myuser" password="mypassword" roles="myrole" />
</tomcat-users>

Note: It’s possible to specify the HTTP methods in the web.xml web-resource-collection, however this will mean that *only* these methods to the url-pattern specified will be secured and other methods will be unsecured (see http://www.aspectsecurity.com/documents/Bypassing_VBAAC_with_HTTP_Verb_Tampering.pdf).

Javadoc for Maven Dependencies in Eclipse Helios

To be able to view Javadoc for classes packaged in Maven dependencies in Eclipse, go to the Java Resources -> Libraries -> Maven Dependencies in the project and right click on one of the dependencies listed. From the ‘Maven’ menu option choose ‘Download Sources’ and both source and Javadoc will be downloaded. Note that choosing the ‘Javadoc’ option didn’t seem to download the Javadoc!

Web MVC Project using Spring Framework 3 Eclipse Helios and Maven 2 on OS X Snow Leopard

I want to create the simplest of webapps using Spring Framework 3 and JSP documents. The version of JSP is 2.1 as that is the version used by Tomcat 6.

1 Update the pom.xml with the Spring Framework dependencies.

<project xmlns="http://maven.apache.org/POM/4.0.0" 
	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
	xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
	<modelVersion>4.0.0</modelVersion>
	<groupId>com.siark.igallery</groupId>
	<artifactId>igallery</artifactId>
	<packaging>war</packaging>
	<version>1.0-SNAPSHOT</version>
	<name>Siark iGallery Webapp</name>
	<url>http://www.siark.com</url>
	<dependencies>
		<dependency>
			<groupId>junit</groupId>
			<artifactId>junit</artifactId>
			<version>3.8.1</version>
			<scope>test</scope>
		</dependency>
		<dependency>
			<groupId>org.springframework</groupId>
			<artifactId>spring-core</artifactId>
			<version>${org.springframework.version}</version>
		</dependency>
		<dependency>
			<groupId>org.springframework</groupId>
			<artifactId>spring-web</artifactId>
			<version>${org.springframework.version}</version>
		</dependency>
		<dependency>
			<groupId>org.springframework</groupId>
			<artifactId>spring-webmvc</artifactId>
			<version>${org.springframework.version}</version>
		</dependency>
		<dependency>
			<groupId>javax.servlet</groupId>
			<artifactId>jstl</artifactId>
			<version>1.2</version>
		</dependency>
	</dependencies>
	<build>
		<finalName>igallery</finalName>
		<plugins>
			<plugin>
				<groupId>org.apache.maven.plugins</groupId>
				<artifactId>maven-compiler-plugin</artifactId>
				<configuration>
					<source>1.5</source>
					<target>1.5</target>
				</configuration>
			</plugin>
		</plugins>
	</build>
	<properties>
		<org.springframework.version>3.0.4.RELEASE</org.springframework.version>
	</properties>
</project>

2 Update the web.xml file to include the Spring Framework Dispatcher Servlet.

<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns="http://java.sun.com/xml/ns/javaee" 
	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
	xsi:schemaLocation="http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd" 
	version="2.5">
	<display-name>igallery</display-name>
	<welcome-file-list>
		<welcome-file>index.jsp</welcome-file>
	</welcome-file-list>
	<servlet>
		<servlet-name>igallery</servlet-name>
			<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
		<load-on-startup>1</load-on-startup>
	</servlet>
	<servlet-mapping>
		<servlet-name>igallery</servlet-name>
		<url-pattern>*.html</url-pattern>
	</servlet-mapping>
</web-app>

The Dispatcher Servlet handles requests to all resources that have the extension html. The DispatcherServlet class is in the spring-webmvc artifact.

3 I want the JSP pages to be in the WEB-INF/jsp directory. As this directory is not part of the public hierarchy, the welcome page (index.jsp) must redirect to the home page (home.html) which is then intercepted by the Spring Framework Dispatcher servlet.

<?xml version="1.0" encoding="ISO-8859-1" ?>
<%@ page language="java" contentType="text/html; charset=ISO-8859-1" pageEncoding="ISO-8859-1" info="siark.com home page" %>
<%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core" %>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
	<head>
		<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1" />
		<title>siark.com home</title>
	</head>
	<body>
		<%-- Redirected because we can't set the welcome page to a virtual URL. --%>
		<c:redirect url="home.html" />
	</body>
</html>

4 The Spring Framework Web MVC uses a special file to configure it’s web application context and is based on the servlet name assigned to the dispatcher servlet (igallery). This file then is igallery-servlet.xml and by default is in the WEB-INF directory.

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
	xmlns:p="http://www.springframework.org/schema/p"
	xmlns:context="http://www.springframework.org/schema/context"
	xsi:schemaLocation="http://www.springframework.org/schema/beans 
		http://www.springframework.org/schema/beans/spring-beans-3.0.xsd 
		http://www.springframework.org/schema/context 
		http://www.springframework.org/schema/context/spring-context-3.0.xsd">
	
	<context:component-scan base-package="com.siark.igallery" />
	
	<bean id="viewResolver" class="org.springframework.web.servlet.view.UrlBasedViewResolver">
		<property name="viewClass" value="org.springframework.web.servlet.view.JstlView"/>
		<property name="prefix" value="/WEB-INF/jsp/"/>
		<property name="suffix" value=".jspx"/>
	</bean>
</beans>

This minimal web application context configuration file includes an entry to enable auto-detection of annotated controllers and an entry to configure the view resolver.

5 The controller for the home page is as simple as possible and just handles an HTTP GET request.

package com.siark.igallery.web;

import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;

@Controller
@RequestMapping("/home")
public class HomeController {
	
	protected final Log logger = LogFactory.getLog(getClass());
	
	/**
	 *
	 */
	@RequestMapping(method=RequestMethod.GET)
	public void get() {
		logger.info("Returning the home view.");
	}
}

The Controller annotation is in the spring-context artifact and the RequestMapping and RequestMethod annotations are in the spring-web artifact.

6 The home page itself is home.jspx and is in the WEB-INF/jsp directory. It is a JSP document.

<?xml version="1.0" encoding="ISO-8859-1" ?>
<jsp:root xmlns:jsp="http://java.sun.com/JSP/Page" 
		xmlns:c="http://java.sun.com/jsp/jstl/core"
		xmlns:fmt="http://java.sun.com/jsp/jstl/fmt"
		version="2.0">
    <jsp:directive.page language="java" contentType="text/html; charset=ISO-8859-1" pageEncoding="ISO-8859-1" />
    <!-- According to the W3C XHTML 1.0 Recommendation, an XML declaration is not required, but authors are strongly encouraged to use XML declarations in documents. -->
    <jsp:text>
        <![CDATA[ <?xml version="1.0" encoding="ISO-8859-1" ?> ]]>
    </jsp:text>
    <!-- According to the W3C XHTML 1.0 Recommendation, there must be a DOCTYPE declaration prior to the root element. -->
    <jsp:text>
        <![CDATA[ <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> ]]>
    </jsp:text>
	<html xmlns="http://www.w3.org/1999/xhtml">
		<head>
			<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1" />
		</head>
		<body>
			<p>Welcome to the siark.com website.</p>
		</body>
	</html>
</jsp:root>

A Simple Web Application in Eclipse

A web application contains a structured hierarchy of directories. The root of the directory hierarchy is known as the document root. The WEB-INF diretory is special directory within the directory hierarchy that is not part of the public hierarchy of directories. The contents of the WEB-INF directory include the web.xml deployment descriptor file, a classes directory and a lib directory.

When a web application is packaged as a WAR file, a META-INF directory is included in the root of the directory hierarchy.

Tomcat 6 supports the Servlet 2.5 specification. The web.xml file for a web application deployed to Tomcat 6 must contain as a minimum a web-app element. However, to create the first page of the siark.com website I want to include an index.jsp page that will be used as a welcome file.

1 Create the web.xml file.

<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns="http://java.sun.com/xml/ns/javaee" 
	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
	xsi:schemaLocation="http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd" 
	version="2.5">
	<welcome-file-list>
		<welcome-file>index.jsp</welcome-file>
	</welcome-file-list>
</web-app>

2 Create the index.jsp file in the root of the directory hierarchy (src/main/webapp).

<?xml version="1.0" encoding="ISO-8859-1" ?>
<%@ page language="java" contentType="text/html; charset=ISO-8859-1" pageEncoding="ISO-8859-1" info="siark.com home page" %>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
	<head>
		<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1" />
		<title>siark.com home</title>
	</head>
	<body>
		<p>Welcome to the siark.com website.</p>
	</body>
</html>

To deploy and run the project, right click on the igallery project in the ‘Project Explorer’ view. Select ‘Run on Server’ from the ‘Run As’ menu item. Select the server created. Eclipse will deploy the igallery web app to the server and a browser tab will open in the Eclipse workbench displaying the landing page of the web app.

Creating a Simple Maven 2 Webapp in Eclipse

1 The first component to create is the pom.xml file. An easy way to generate a simple pom.xml file is to use the Maven 2 Archetype plugin to generate a basic Maven 2 project. By default the plugin operates in interactive, so a sequence of questions must be answered to generate the project (This Maven 2 plugin could have been used to generate the original iGallery project that was committed to Subversion in the post Configuring Subversion with Apache on OS X Snow Leopard).

$ cd ~/Development
$ mvn archetype:generate
Choose archetype:
...
82: remote -> maven-archetype-webapp (An archetype which contains a sample Maven Webapp project.)
...
Choose a number: 79:82
Choose version:
...
5: 1.0
Choose a number: 5:5
Define value for property 'groupId': :com.siark.igallery
Define value for property 'artifactId': :igallery
Define value for property 'version': 1.0-SNAPSHOT:
Define value for property 'package': com.siark.igallery:
Confirm properties configuration:
groupId: com.siark.igallery
artifactId: igallery
version: 1.0-SNAPSHOT
package: com.siark.igallery
Y:

3 Copy the contents of the pom.xml in the ~/Development/igallery directory to the empty pom.xml in the igallery Eclipse project.

4 In Eclipse, open the ‘Team Synchronising’ perspective from the ‘Window -> Open Perspective -> Other…’ dialog box.

3 Click the ‘Synchronize’ button to display the ‘Synchronize’ dialog. Select the ‘SVN’ option and press the ‘Next >’ button.

4 On the next ‘Synchronise’ dialog choose the ‘igallery’ project from the ‘Availible resources to Synchronize:’ section. Click the ‘Finish’ button. The igallery project should appear in the ‘Synchronise’ tab of this perspective.

5 The pom.xml file should be listed under the igallery project in the ‘Synchronize’ tab. Right click the pom.xml file and choose ‘Commit…’. In the dialog box that appears, enter a suitable comment to accompany the commit and press the ‘ok’ button.

6 To build the project using the m2eclipse Eclipse plugin, from the Java EE perspective right click the igallery project in the ‘Project Explorer’ and choose ‘Maven package’ from the ‘Run As’ menu item. This will generate a ‘target’ directory in the igallery directory containing amongst other things an igallery.war file. The ‘package’ Maven 2 lifecycle phase does everything except integration tests, installing the WAR file into the repository and deploying the WAR file to Tomcat.

Checking out a Project using Subclipse and Creating a new Server Runtime

Checking out the igallery project using Subclipse amd Creating a new Server Runtime.

1 Go to the SVN Repositories view. The ‘repos’ repositry set up earlier should be visible (http://siark-desktop.local/svn/repos). Click on the grey triangle to the left of the repository to expand it so that the ‘igallery’ project is visible, then expand ‘igallery’ so that ‘trunk’ is visible.

2 Right click ‘trunk’ and select ‘Checkout…’ On the first dialog box, the ‘Checkout from SVN’ dialog, leave all the options as they are and just click ‘Finish’ to checkout the project using the ‘New Project Wizard’.

3 The next dialog box is the ‘New Project’ dialog. Expand the ‘Web’ option and select the ‘Dynamic Web Project’ (a dynamic projects include resources such as Servlets and JSP files, wheras static projects just contain resources such as HTML files). Click on the ‘Next >’ button.

4 The next dialog box is the first ‘New Dynamic Web Project’ wizard dialog. Give the project a name. I’m using the name ‘igallery’. In the ‘Target Runtime’ section, press the ‘New Runtime…’ button.

5 On the ‘New Server Runtime Environment’ dialog box, select ‘Apache Tomcat v6.0’ from the expanded ‘Apache’ option. Check the ‘Create a new local server’ option so that a server is added to the ‘Servers’ view. Click the ‘Next >’ button.

6 On the next ‘New Server Runtime Environment’ dialog box, click the ‘Browse…’ button and select the Tomcat installation directory (/Library/Tomcat/Home), then click the ‘Finish’ button.

7 Back on the ‘New Dynamic Web Project’ wizard dialog, the ‘Dynamic web module version’ should be set to 2.5 (Tomcat 6 implements the Servlet 2.5 spec). Select ‘Minimal Configuration’ in the ‘Configuration’ section. Click the ‘Next >’ button.

8 On the second ‘New Dynamic Web Project’ wizard dialog, delete ‘src’ from the “Source folders on build path:’ and add ‘src/main/java’ and ‘src/test/java’ then click the ‘Next >’ button.

9 On the third and last ‘New Dynamic Web Project’ wizard dialog, change the ‘Content directory:’ to ‘src/main/webapp’. Click the ‘Finish’ button.

Subclipse Installation on Eclipse Helios

As I’m using Subversion for my source control and Eclipse for my editing, it made sense to install the Eclipse Subclipse plugin for Subversion. I have installed Eclipse Helios (more specifically Eclipse IDE for Java EE Developers Helios 3.6 for Mac OS X Cocoa 64 bit). It’s pretty easy to install Subclipse, I used the Eclipse Marketplace and searched for subclipse.