Server-side Web Programming

Lecture 18: User Authentication and

Security Roles

Restricting Access to Web Resources

• May only want some users to be able to access certain pages• Example: Course web site

Course Syllabus

ViewCurrentGrade

TakeOnlineQuiz

SetGrades

CreateOnlineQuiz

Students registered for course

Anyone

Instructor

Security Roles and Resources

• Define what types of users have access to what types of resources– Note that roles may overlap

– Some roles may have access to multiple resources

Add to inventory

Changeprices in inventory

View salaries

Change salaries

Inventory Role

HR Role

Manager Role

View inventory

Security Roles and Users

• Users have roles– Controls what resources and individual user has access to

– A user may have multiple roles

User Role(s)

Homer Inventory

Marge HR

Smithers Inventory, HR

Burns Manager

User Identification

• Password-based in Tomcat – Not most secure method!

Tomcat

Resource

Request for resource

Response prompts for username and password

Request contains username, password

Sent as response if correct

Error page sent as response if incorrect

Defining Roles in Tomcat

• In web.xml file of application– First define roles

Defining Roles in Tomcat

• Define resources those roles have access to– Simplest method: Create subdirectory off of main application directory

– Use a url pattern of the form /subdirectory/* to define secure areas• /employee/*• /manager/*

Files in here only accessible by employee role

Files in here only accessible by manager role

Defining Roles in Tomcat

• <security-constraint> tag– <web-resource-collection> tag defines what directories are restricted– <auth-constraint> tag defines which roles have access

Files in this subdirectory

May only be accessed by users in these roles

Defining User Roles in Tomcat

• For each user:– Username and password

– Role(s) they assume

• Where can they be stored?– tomcat-users.xml file in conf directory

• Simple to implement• Difficult to manage if have thousands of users in dozens of roles

– Separate database

User Roles in tomcat-users.xml

• In tomcat-users.xml file:– Define roles with <role> tag– Define users with <user> tag

• Username, password, and roles defined

• Roles can be list

Defining User Roles in a Database

• Must provide information about database in context.xml– Subdirectory of META-INF in application directory

– Add tag of form:

<Realm className=“org.apache.catalina.realm.JDBCRealm” driverName=“com.mysql.jdbc.Driver” connectionURL=“jdbc:mysql://localhost:8080/users” connectionName=“root” connectionPassword=“sesame” userTable=“Passwords” userRoleTable=“Roles” userNameCol=“Name” userCredCol=“Password” roleNameCol=“Role” />

Driver name

URL and name of database

Name and password to access database

Name of tables with passwords and roles

Field names:Password table uses userNameCol, userCredColRoles table uses userNameCol, roleNameCOl

Defining User Roles in a Database

• Form of database tables:

Name Password

Burns excellent

Homer donut

Passwords

Name Role

Burns manager

Homer employee

Roles

Types of Authentication

• BASICPassword prompt generated automatically

• FORMCan define own prompt and error pages

BASIC Authentication

• Add <login-config> tag to web.xml– Will continue to prompt as long as login incorrect

FORM Authentication

• Must specify login page and error page

FORM Authentication• ACTION of login form must be j_security_check• Must use specific field names in login form

– Name field must be j_username– Password field must be j_password

FORM Authentication