Murach’s Java Servlets/JSP (2 nd Ed.), C17© 2008, Mike Murach & Associates, Inc.Slide 1

Murach’s Java Servlets/JSP (2nd Ed.), C17 © 2008, Mike Murach & Associates, Inc. Slide 1

Chapter 17

How to restrict access to a web resource


Objectives

Applied

Use container-managed security and the JDBC realm to restrict access to portions of your web applications.

Knowledge

Describe container-managed security in terms of authentication, authorization, security constraints, roles, and security realms.

Distinguish between basic authentication and form-based authentication.


An authentication dialog box for a restricted web resource


The security-constraint and login-config elements in the web.xml file  <security-constraint> <web-resource-collection> <web-resource-name>Protected Area</web-resource-name> <url-pattern>/admin/*</url-pattern> </web-resource-collection>  <auth-constraint> <role-name>programmer</role-name> <role-name>service</role-name> </auth-constraint> </security-constraint>  <login-config> <auth-method>BASIC</auth-method> <realm-name>Admin Login</realm-name> </login-config>


How to implement container-managed authentication with Tomcat To restrict access to a web resource, you code a security-constraint

element in the application’s web.xml file that specifies the URL patterns that you want to restrict and the roles that are authorized to access these URLs.

To allow access to the restricted resources, you code a login-config element in the application’s web.xml file that specifies the authentication method.

You also need to implement a security realm that provides the usernames, passwords, and roles for the authorized users.


Basic authentication Causes the browser to display a dialog box that asks for username

and password.

Doesn’t encrypt the username and password before sending them to the server.

Digest authentication Causes the browser to display a dialog box that asks for username

and password.

Encrypts the username and password before sending them to the server.


Form-based authentication Allows the developer to code a login form that gets the username

and password.

Doesn’t encrypt the username and password before sending them to the server.


How to set a security constraint in a web.xml file <security-role> <description>customer service employees</description> <role-name>service</role-name> </security-role> <security-role> <description>programmers</description> <role-name>programmer</role-name> </security-role> <security-constraint> <web-resource-collection> <web-resource-name>Protected Area</web-resource-name> <url-pattern>/admin/*</url-pattern> <http-method>GET</http-method> <http-method>POST</http-method> </web-resource-collection> <auth-constraint> <role-name>programmer</role-name> <role-name>service</role-name> </auth-constraint> </security-constraint>


The elements used to create a security roles and constraints

Element Description

<security-role> Creates a security role for one or more web resources.

<description> Specifies the description for a security role.

<role-name> Specifies the name for a security role.

<security-constraint> Creates a security constraint for one or more web resources.

<web-resource-collection> Specifies a collection of restricted web resources.

<web-resource-name> Specifies a name for the collection of web resources.


The elements used to create a security roles and constraints (cont.)

Element Description

<url-pattern> Specifies the URL pattern for the web resources that you wish to restrict. You can use the asterisk character (*) to specify several files at once.

<http-method> Specifies the HTTP methods that require authentication. By default, a constraint will restrict access to all HTTP methods.

<auth-constraint> Specifies the security roles that are permitted to access a restricted web resource.


The default Realm element in Tomcat’s server.xml file <Realm className= "org.apache.catalina.realm.UserDatabaseRealm" resourceName="UserDatabase"/>

The default Resource element in Tomcat’s server.xml file <Resource name="UserDatabase" auth="Container" type="org.apache.catalina.UserDatabase" description="User database that can be updated and saved" factory="org.apache.catalina.users.MemoryUserDatabaseFactory" pathname="conf/tomcat-users.xml" />


A tomcat-users.xml file that specifies three roles and three users <?xml version='1.0' encoding='utf-8'?> <tomcat-users> <role rolename="manager"/> <role rolename="programmer"/> <role rolename="service"/> <user username="admin" password="sesame" roles="manager"/> <user username="joel" password="sesame" roles="programmer"/> <user username="andrea" password="sesame" roles="programmer,service"/> </tomcat-users>


How to implement the UserDataRealm A realm is an interface that’s used to authenticate users so they can

access web resources that have been restricted.

By default, the server.xml file in Tomcat’s conf directory uses the UserDatabaseRealm to use the usernames, passwords, and roles that are defined in the tomcat-users.xml file that’s stored in Tomcat’s conf directory. However, you can change this default to one of the other realms.

If you use the UserDatabaseRealm for authentication, you can edit the tomcat-users.xml file so it contains the role and user elements that you need.


A context.xml file that implements the JDBCRealm <?xml version="1.0" encoding="UTF-8"?> <Context path="/ch17admin"> <Realm className= "org.apache.catalina.realm.JDBCRealm" debug="99" driverName="com.mysql.jdbc.Driver" connectionURL="jdbc:mysql://localhost:3306/murach" connectionName="root" connectionPassword="sesame" userTable="UserPass" userNameCol="Username" userCredCol="Password" userRoleTable="UserRole" roleNameCol="Rolename" /> </Context>


The attributes of the Realm element for a JDBCRealm

Attribute Description

className The fully qualified name for the JDBCRealm class.

driverName The fully qualified class name for the JDBC driver.

connectionURL The database URL for the connection.

connectionName The username for the connection.

connectionPassword The password for the connection.

userTable The name of the table that contains the usernames and passwords. This table must include at least the columns named by the userNameCol and userCredCol attributes.


The attributes of the Realm element for a JDBCRealm (cont.)


userNameCol The name of the column that contains usernames.

userCredCol The name of the column that contains passwords.

userRoleTable The name of the table that contains the usernames and their associated roles. This table must include the columns named by the userNameCol and roleNameCol attributes.

roleNameCol The name of the column that contains the roles.


How to implement the JDBCRealm: The context.xml file To specify a realm for a single application, you can code a Realm

element within the context.xml file in the application’s META-INF folder. This overrides the default Realm element that’s specified in the server.xml file in Tomcat’s conf folder.

Tomcat’s JDBCRealm uses a database to check a username and password against a table of valid usernames and passwords. In addition, the JDBCRealm uses a second table to associate a username with a role.

For the JDBCRealm to work, the JAR file for the database driver that’s specified must be stored in Tomcat’s lib directory.


A SQL script that creates the tables used by the JDBCRealm CREATE TABLE UserPass ( Username varchar(15) NOT NULL PRIMARY KEY, Password varchar(15) NOT NULL ); INSERT INTO UserPass VALUES ('andrea', 'sesame'), ('joel', 'sesame'), ('anne', 'sesame'); CREATE TABLE UserRole ( Username VARCHAR(15) NOT NULL, Rolename VARCHAR(15) NOT NULL, PRIMARY KEY (Username, Role) ); INSERT INTO UserRole VALUES ('andrea', 'service'), ('andrea', 'programmer'), ('joel', 'programmer');


How to implement the JDBCRealm: The SQL script The table and column names must match the table and column

names specified by the Realm element for the JDBCRealm.

A user can be associated with zero roles, one role, or multiple roles.

The table that stores the username and password can contain other columns.


A context.xml file that implements the DataSourceRealm <?xml version="1.0" encoding="UTF-8"?> <Context path="/musicStore"> <Resource name="jdbc/musicDB" auth="Container" maxActive="100" maxIdle="30" maxWait="10000" username="root" password="sesame" driverClassName="com.mysql.jdbc.Driver" url="jdbc:mysql://localhost:3306/music?autoReconnect=true" logAbandoned="true" removeAbandoned="true" removeAbandonedTimeout="60" type="javax.sql.DataSource" /> <Realm className="org.apache.catalina.realm.DataSourceRealm" debug="99" dataSourceName="jdbc/musicDB" localDataSource="true" userTable="UserPass" userNameCol="Username" userCredCol="Password" userRoleTable="UserRole" roleNameCol="Rolename" /> </Context>


The attributes of the Realm element for a DataSourceRealm


className The fully qualified name for the DataSourceRealm class.

dataSourceName The name that specifies the data source. If the Realm element is coded in the same context.xml file as the Resource element that’s used to connect to the database, you can specify the same name that’s specified by the Resource element.

localDataSource By default, this attribute is set to false, which allows you to use the dataSourceName attribute to specify a global data source. However, if the Realm element is coded in the same context.xml file as the Resource element, you can set this attribute to true to specify a local data source.


Basic authentication


The web.xml elements that specify basic authentication

<login-config> <auth-method>BASIC</auth-method> <realm-name>Admin Login</realm-name> </login-config>

The elements for basic authentication

Element Description

<login-config> Creates the authentication type to use.

<auth-method> Specifies the authentication method. Valid entries include BASIC, DIGEST, FORM, and CLIENT-CERT.

<realm-name> Specifies the name that’s displayed in the dialog box, but this is optional.


Form-based authentication


The web.xml elements that specify form-based authentication <login-config> <auth-method>FORM</auth-method> <form-login-config> <form-login-page>/admin/login.html</form-login-page> <form-error-page>/admin/login_error.html </form-error-page> </form-login-config> </login-config>


The additional web.xml elements for form-based authentication

Element Description

<form-login-config> Specifies the login and error pages that should be used for form-based authentication.

<form-login-page> Specifies the location of the login page that should be displayed when a restricted resource that’s set in the security constraint is accessed. This page can be an HTML page, JSP, or servlet.

<form-error-page> Specifies the location of the page that should be displayed when an invalid username or password is entered in the login form.


The code for a login web page <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <html> <head> <title>Murach's Java Servlets and JSP</title> </head> <body> <h1>Admin Login Form</h1> <p>Please enter your username and password to continue.</p> <table cellspacing="5" border="0"> <form action="j_security_check" method="get"> <tr> <td align="right">Username</td> <td><input type="text" name="j_username"></td> </tr> <tr> <td align="right">Password</td> <td><input type="password" name="j_password"></td> </tr>


The code for a login web page (cont.) <tr> <td><input type="submit" value="Login"></td> </tr> </form> </table> </body> </html>

Documents

Murach’s Java Servlets/JSP (2 nd Ed.), C17© 2008, Mike Murach & Associates, Inc.Slide 1