Upload
thanhchuongnl
View
402
Download
0
Tags:
Embed Size (px)
DESCRIPTION
Citation preview
Server-side Web Programming
Lecture 18: User Authentication and
Security Roles
Restricting Access to Web Resources
• May only want some users to be able to access certain pages• Example: Course web site
Course Syllabus
ViewCurrentGrade
TakeOnlineQuiz
SetGrades
CreateOnlineQuiz
Students registered for course
Anyone
Instructor
Security Roles and Resources
• Define what types of users have access to what types of resources– Note that roles may overlap
– Some roles may have access to multiple resources
Add to inventory
Changeprices in inventory
View salaries
Change salaries
Inventory Role
HR Role
Manager Role
View inventory
Security Roles and Users
• Users have roles– Controls what resources and individual user has access to
– A user may have multiple roles
User Role(s)
Homer Inventory
Marge HR
Smithers Inventory, HR
Burns Manager
User Identification
• Password-based in Tomcat – Not most secure method!
Tomcat
Resource
Request for resource
Response prompts for username and password
Request contains username, password
Sent as response if correct
Error page sent as response if incorrect
Defining Roles in Tomcat
• In web.xml file of application– First define roles
Defining Roles in Tomcat
• Define resources those roles have access to– Simplest method: Create subdirectory off of main application directory
– Use a url pattern of the form /subdirectory/* to define secure areas• /employee/*• /manager/*
Files in here only accessible by employee role
Files in here only accessible by manager role
Defining Roles in Tomcat
• <security-constraint> tag– <web-resource-collection> tag defines what directories are restricted– <auth-constraint> tag defines which roles have access
Files in this subdirectory
May only be accessed by users in these roles
Defining User Roles in Tomcat
• For each user:– Username and password
– Role(s) they assume
• Where can they be stored?– tomcat-users.xml file in conf directory
• Simple to implement• Difficult to manage if have thousands of users in dozens of roles
– Separate database
User Roles in tomcat-users.xml
• In tomcat-users.xml file:– Define roles with <role> tag– Define users with <user> tag
• Username, password, and roles defined
• Roles can be list
Defining User Roles in a Database
• Must provide information about database in context.xml– Subdirectory of META-INF in application directory
– Add tag of form:
<Realm className=“org.apache.catalina.realm.JDBCRealm” driverName=“com.mysql.jdbc.Driver” connectionURL=“jdbc:mysql://localhost:8080/users” connectionName=“root” connectionPassword=“sesame” userTable=“Passwords” userRoleTable=“Roles” userNameCol=“Name” userCredCol=“Password” roleNameCol=“Role” />
Driver name
URL and name of database
Name and password to access database
Name of tables with passwords and roles
Field names:Password table uses userNameCol, userCredColRoles table uses userNameCol, roleNameCOl
Defining User Roles in a Database
• Form of database tables:
Name Password
Burns excellent
Homer donut
Passwords
Name Role
Burns manager
Homer employee
Roles
Types of Authentication
• BASICPassword prompt generated automatically
• FORMCan define own prompt and error pages
BASIC Authentication
• Add <login-config> tag to web.xml– Will continue to prompt as long as login incorrect
FORM Authentication
• Must specify login page and error page
FORM Authentication• ACTION of login form must be j_security_check• Must use specific field names in login form
– Name field must be j_username– Password field must be j_password
FORM Authentication