8 Replies Latest reply: Jan 26, 2010 7:42 AM by 843789 RSS

    Enforcing security in web applications?

    801450
      Hello,
      I am fairly new to Java. Just needed a advise from you. Say suppose i made roles in my web.xml as well as configured login and error page. Now when unauthenticated user comes to site login page is displayed. Then the user enters username and password. But how to determine from the password and username that the user belongs to the role which actually has access to the resource?
      Usernames and passwords are stored in mysql database.

      Thanks in advance :)
        • 1. Re: Enforcing security in web applications?
          798906
          You need to store the association between a user and zero, one, or more than one valid role.

          I suggest you google for tomcat realms as even if you are not using tomcat it will give you a good idea of how to do this. Your database may look something like this:
          create table users (
            user_name         varchar(15) not null primary key,
            user_pass         varchar(15) not null
          );
            
          create table user_roles (
            user_name         varchar(15) not null,
            role_name         varchar(15) not null,
            primary key (user_name, role_name)
          );
          • 2. Re: Enforcing security in web applications?
            801450
            Ya, i know the database structure. But my point is if i need to store all roles and usernames in database, then what for did we add in web.xml? Also do i need to write if then logic in each and every page? like if user is admin then true else false and all these silly things?
            • 3. Re: Enforcing security in web applications?
              798906
              What you are talking about is called declarative security. You map the security policy in the web.xml file (usually) using <security-constraint> etc, and at runtime the servlet container uses that security policy to enforce authentication and authorization. This is part of the servlet specification, a version of which your servlet container will implement.
              • 4. Re: Enforcing security in web applications?
                801450
                Ok! thanks friend,
                Now, let's take a general scenario. You tell me how to do that in Java. When a user tried to access unauthorized resource he is thrown to login page.(This part i have already done using declarative security). But now when he click login what all process should i do?
                First i should check in database and if he is admin he should be allowed to browse. Here, i would like to ask how do we get the return url.
                Eg. user is browsing http://www.xyz.com/admin/foofoo.jsf
                Now after the admin successfully logs in, he should be redirected to foofoo.jsf and not the default url of Admin eg. admin/index.jsf?

                Also, how does server know whethe the user is now authenticated?I mean again if user tries to browse admin resource, won't he be again redirected to login page? and to prevent that, do we need to store something in session as a flag, so that we can know whether the user is authenticated and authorized or not? And if yes, then do we need to write this silly logic of if..then on each and every page? This is not a good solution.

                Please, i am a beginner may be my questions are too silly but that's the way you learn.
                • 5. Re: Enforcing security in web applications?
                  843789
                  Salman4u wrote:
                  Usernames and passwords are stored in mysql database.
                  Normally you don't store the password itself in a database. It's better to store the hash of the salted password.

                  See here:
                  [http://en.wikipedia.org/wiki/Password#Form_of_stored_passwords|http://en.wikipedia.org/wiki/Password#Form_of_stored_passwords]
                  [http://en.wikipedia.org/wiki/Salt_(cryptography)|http://en.wikipedia.org/wiki/Salt_(cryptography)]
                  • 6. Re: Enforcing security in web applications?
                    DrClap
                    You're on the right track. But your questions about "do I have to do this on every single page" just shows you haven't heard about Filters yet.
                    • 7. Re: Enforcing security in web applications?
                      801450
                      Oh thanks,
                      It was just a guess. Then what about JDBCrealm? i was just about to do that.
                      • 8. Re: Enforcing security in web applications?
                        801450
                        Please somebody tell me, should i manually check for authentication using filters or should i go for JDBCrealm?