No Slide Title
Download
Report
Transcript No Slide Title
Chapter 14
How to restrict access to
a web resource
Java Servlets and JSPCH14
© 2003, Mike Murach & Associates, Inc.
Slide 1
Objectives
Applied
Use container-managed security and the JDBC realm to restrict
access to specific portions of your web applications.
Knowledge
In general terms, describe the use of the web.xml file, the
server.xml file, and the database tables for container-managed
security that uses the JDBC realm.
Distinguish between basic authentication and form-based
authentication.
Java Servlets and JSPCH14
© 2003, Mike Murach & Associates, Inc.
Slide 2
A restricted web resource
Java Servlets and JSPCH14
© 2003, Mike Murach & Associates, Inc.
Slide 3
The security constraint and authentication type in
the web.xml file
<security-constraint>
<web-resource-collection>
<web-resource-name>Protected Area</web-resource-name>
<url-pattern>/admin14/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>service</role-name>
<role-name>admin</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>Basic Authentication</realm-name>
</login-config>
Java Servlets and JSPCH14
© 2003, Mike Murach & Associates, Inc.
Slide 4
An introduction to authentication
One way to restrict access to specific directories or files is to use
Tomcat to implement container-managed security.
Although you can write servlets and JSPs that implement security,
it’s usually easier to let Tomcat manage authentication for you.
To restrict access to a web resource, you can code a security
constraint in the application’s web.xml file that specifies the files
or directories that you want to restrict.
To allow certain users to access a web resource, you can specify
what type of authentication the web application can use to
authenticate users by checking a username and a password.
Java Servlets and JSPCH14
© 2003, Mike Murach & Associates, Inc.
Slide 5
Basic authentication
Causes the browser to display a dialog box like the one shown
in the previous figure.
Doesn’t encrypt the username and password before sending
them to the server.
Is supported by most browsers.
Java Servlets and JSPCH14
© 2003, Mike Murach & Associates, Inc.
Slide 6
Digest authentication
Causes the browser to display a dialog box like the one shown
in the previous figure.
Encrypts the username and password before sending them to
the server, but still isn’t as secure as using an SSL connection.
Is only supported by the Internet Explorer browser.
Java Servlets and JSPCH14
© 2003, Mike Murach & Associates, Inc.
Slide 7
Form-based authentication
Allows the developer to code a login form that gets the
username and password.
Doesn’t encrypt the username and password before sending
them to the server.
Is supported by most browsers.
Java Servlets and JSPCH14
© 2003, Mike Murach & Associates, Inc.
Slide 8
How to set a security constraint in web.xml file
<security-constraint>
<web-resource-collection>
<web-resource-name>
Protected Area
</web-resource-name>
<url-pattern>/admin14/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>service</role-name>
<role-name>admin</role-name>
</auth-constraint>
</security-constraint>
Java Servlets and JSPCH14
© 2003, Mike Murach & Associates, Inc.
Slide 9
The elements used to create a security constraint
Element
Description
<security-constraint>
Creates a security constraint for one or
more web resources.
<web-resource-collection> Specifies a collection of web resources
that the security constraint restricts
access to.
<web-resource-name>
Specifies a name for the collection of
web resources.
<url-pattern>
Specifies the URL pattern for the web
resources that you wish to restrict
access to.
<http-method>
Specifies the HTTP methods that
require authentication. If no HTTP
method is specified, the constraint will
restrict access to all HTTP methods.
Java Servlets and JSPCH14
© 2003, Mike Murach & Associates, Inc.
Slide 10
The elements used to create a security constraint
Element
<auth-constraint>
<role name>
Java Servlets and JSPCH14
Description
Specifies the users that are permitted to
access a restricted web resource.
Specifies a valid user role that’s
permitted access to the web resource.
© 2003, Mike Murach & Associates, Inc.
Slide 11
The Realm elements in the server.xml file
<!-<Realm className=
"org.apache.catalina.realm.MemoryRealm"/>
-->
<!-- Replace the above Realm with one of the
following to get a Realm stored in a database
and accessed via JDBC -->
<Realm className="org.apache.catalina.realm.JDBCRealm"
debug="99"
driverName="org.gjt.mm.mysql.Driver"
connectionURL=
"jdbc:mysql://localhost/murach?user=root;password="
userTable="users" userNameCol="user_name"
userCredCol="user_pass" userRoleTable="user_roles"
roleNameCol="role_name" />
Java Servlets and JSPCH14
© 2003, Mike Murach & Associates, Inc.
Slide 12
How to set the Realm element in the server.xml
file
Comment out the Realm element that specifies MemoryRealm.
Remove the comments from the Realm element that specifies
JDBCRealm.
If necessary, modify the driverName attribute so it specifies the
database driver that you’re using.
If necessary, modify the connection URL to the URL of your
database and provide a username and password value that have
read-access to the database.
If necessary, modify the attributes for the table and column names
so they match the tables and columns that your database will use.
In the next figure, you’ll see how to create the tables with the
column names shown above.
Java Servlets and JSPCH14
© 2003, Mike Murach & Associates, Inc.
Slide 13
How to implement the JDBC realm
A realm is a mechanism that’s used to authenticate users so they
can access web resources that have been restricted.
Although Tomcat provides for three types of realms, the JDBC
realm is the one that’s used the most. In contrast, the memory
realm should only be used for testing purposes.
Tomcat’s JDBC realm uses a database to check a user’s name and
password against a table of valid user names and passwords. In
addition, the JDBC realm associates a role with each user that
allows you to grant access to any user that’s associated with a
certain role.
For the JDBC realm to work, the database driver that’s specified in
the server.xml file must be stored in Tomcat’s common\lib
directory.
Java Servlets and JSPCH14
© 2003, Mike Murach & Associates, Inc.
Slide 14
The SQL statement that creates the users table
CREATE TABLE users (
user_name VARCHAR(15) NOT NULL,
user_pass VARCHAR(15) NOT NULL,
PRIMARY KEY (user_name)
)
The SQL statement that creates the user_roles
table
CREATE TABLE user_roles (
user_name VARCHAR(15) NOT NULL,
role_name VARCHAR(15) NOT NULL,
PRIMARY KEY (user_name, role_name)
)
Java Servlets and JSPCH14
© 2003, Mike Murach & Associates, Inc.
Slide 15
The SQL statement that inserts three users
INSERT INTO users
VALUES ('andrea', 'dime10'),
('joel', '86band'),
('doug', 'lowe1')
The SQL statement that assigns three roles to
two users
INSERT INTO user_roles
VALUES ('andrea', 'service'),
('andrea', 'admin'),
('joel', 'admin')
Java Servlets and JSPCH14
© 2003, Mike Murach & Associates, Inc.
Slide 16
Basic authentication
Java Servlets and JSPCH14
© 2003, Mike Murach & Associates, Inc.
Slide 17
The web.xml elements for basic authentication
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>Admin Login</realm-name>
</login-config>
The Login-Config elements
Element
<login-config>
<auth-method>
<realm-name>
Java Servlets and JSPCH14
Description
Tells the servlet engine what authentication type to
use.
Specifies the authentication type like BASIC or
FORM. However, it’s also possible to use DIGEST
for digest authentication or CLIENT-CERT for SSL
client authentication (see figure 13-2 in chapter 13
for more on client authentication).
Specifies the text that’s displayed in the dialog box.
© 2003, Mike Murach & Associates, Inc.
Slide 18
How to use basic authentication
To use basic authentication, you code a security constraint in the
web.xml file. Then, you code a Login-Config element
immediately after the security constraint.
If the user enters an invalid username or password, the browser
will prompt the user three times for valid entries. Then, the server
will return an error page that indicates that the request was
unauthorized.
If the user enters a valid username and password, the browser
stores the authentication information for the current session so
the user can access all web resources specified by the constraint
without having to re-enter the username and password for each
page.
Java Servlets and JSPCH14
© 2003, Mike Murach & Associates, Inc.
Slide 19
Form-based authentication
Java Servlets and JSPCH14
© 2003, Mike Murach & Associates, Inc.
Slide 20
The web.xml elements for form-based
authentication
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>
/admin14/login.html
</form-login-page>
<form-error-page>
/admin14/login_error.html
</form-error-page>
</form-login-config>
</login-config>
Java Servlets and JSPCH14
© 2003, Mike Murach & Associates, Inc.
Slide 21
The Form-Login-Config elements
Element
<form-login-config>
<form-login-page>
<form-error-page>
Java Servlets and JSPCH14
Description
Specifies the login and error pages that
should be used for form-based authentication.
If form-based authentication isn’t used, these
elements are ignored.
Specifies the location of the login page that
should be displayed when a restricted
resource that’s set in the security constraint is
accessed. This page can be an HTML page,
JSP, or servlet.
Specifies the location of the page that should
be displayed when an invalid username
and/or password is entered in the login form.
© 2003, Mike Murach & Associates, Inc.
Slide 22
The code for a login web page
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0
Transitional//EN">
<html>
<head>
<title>Chapter 14 – The Admin application</title>
</head>
<body>
<h1>Admin Login Form</h1>
<p>Please enter your username and password to continue.</p>
Java Servlets and JSPCH14
© 2003, Mike Murach & Associates, Inc.
Slide 23
The login web page (continued)
<table cellspacing="5" border="0">
<form action="j_security_check" METHOD="get">
<tr>
<td align="right">Username</td>
<td><input type="text" name="j_username"></td>
</tr>
<tr>
<td align="right">Password</td>
<td><input type="password" name="j_password"></td>
</tr>
<tr><td><input type="submit" value="Login"></td></tr>
</form>
</table>
</body>
</html>
Java Servlets and JSPCH14
© 2003, Mike Murach & Associates, Inc.
Slide 24