9.6. Testing Secure JSPs
We've taken a lot of steps to get here, but we're now ready to take our new secure web site for a test drive. First, let's try to access one of the protected JSPs directly. Here are the steps to build and deploy the application:
The Servlet container should re-direct you to the login page and you'll see the login page, /login.jsp, as shown in Figure 9-3.
Figure 9-3. JAW Motors Login page
When the user presses the "Save" button, the browser sends the user ID and password to the Servlet Container, which validates the user's credentials against a security realm. If the user logs in successfully, the Servlet container takes him to the "Car Inventory" page. You'll notice that no cars are displayed because we bypassed the Controller Servlet that pulls the cars from the database before rendering the page. Otherwise, the container sends the user to the login error page, /loginError.jsp as depicted in Figure 9-4.
Figure 9-4. JAW Motors Login Error page
The user can either return to the login page to try another user I and password or go back to the JAW Motors home page.
We have now successfully locked down the administrative pages, but this isn't good enough. Now exit the browser (to end your session) and re-start your browser. Try to use the JAW Motors web site by visiting the home page: http://localhost:8080/jaw, as shown in Figure 9-5.
Figure 9-5. JAW Motors Home page
The "View Inventory" link is new and takes you to a read-only version of the JAW Motors Inventory page. Think of the new link and page as you would a control group for an experiment. We want to make sure that the non-secure pages remain accessible without logging in, and that the secure pages require you to log in before reaching them.
Use the site like you normally would, and don't circumvent the Controller with direct URLs to the protected pages. Click on the "Modify Inventory" link from the home page, and you'll go directly to the Car Inventory page where you can add, edit, or delete cars in the inventory. You've just bypassed all the security we've added. At this point, you may wonder why we bothered with the extra infrastructure if we're still unprotected. What went wrong? The JAW Motors web site doesn't only consist of raw JSPsit uses an MVC framework to control page flow. We have more work to dowe need to protect the URLs for administrative actions that enable the user to add, edit, or delete cars.