• Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

Securing web applications declaratively

 
vipul patel
Ranch Hand
Posts: 146
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi Folks,

i went through manning's chaper 9 on SCWCD and have a question. They mentioned that we can write web.xml in a way so that selected resources can be secured using username and password. Now up to role, we can configure things in web.xml but for usename configuration, it is "Server - Dependant".
In case of Tom-Cat, I have a file called tomcat-users.xml.

In this file, I have to configure all username,password and associate with roles. Same role is defined in my web.xml and a resource is mapped with URL pattern. (On Which http-metod is configured etc. etc.).

so far so good.

Now the question is in a real large-scale website, my username-password information is stored in SQL Server. Here password is encrypted so no body can do SELECT * straight on the backend. how you actually do above things in such case? (Do i have to genereate a file tomcat-users.xml programmatically?)

Please suggest me way if i am not using EJBs. ie., I need solution using only java web components.
 
Charles Lyons
Author
Ranch Hand
Posts: 836
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
You should be able to build extra authentication modules which can 'plug-in' to your existing Web container. Editing the XML file on the fly is a really bad idea - I would have thought a container restart would be required for changes to tomcat-users.xml to take effect, although I'm not sure.

Although Java Authentication and Authorisation Service (JAAS) provides a standard for creating new modules, custom security/authentication realms is largely a container-dependent issue, so you should consult your server's documentation. For Tomcat, there is actually a built-in JDBC realm which is disabled by default. You might find this tutorial helpful:

http://www.linux-sxs.org/internet_serving/c619.html

It shows how to get started with modifying the relevant server.xml sections. For official documentation on Tomcat 5.5, see:

http://tomcat.apache.org/tomcat-5.5-doc/realm-howto.html#JDBCRealm

When you edit the server.xml file, you should see that your current realm is set to MemoryRealm (see the above documentation link for details; this realm is known as FileRealm under the Reference Implemenation, Sun AppServer 8). As the docs say, this isn't supposed to be a production system.

Unfortunately, despite being based on Tomcat, the Reference Implementation (Sun AppServer 8) isn't nearly as helpful; in order to do custom authentication using JDBC, you have to build your own login modules!
[ January 04, 2006: Message edited by: Charles Lyons ]
 
Gyan Shankar
Ranch Hand
Posts: 65
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi Charles

Can you please let me know what exactly is SCWCD 1.4b and how is it different from SCWCD 1.4.
 
Charles Lyons
Author
Ranch Hand
Posts: 836
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Can you please let me know what exactly is SCWCD 1.4b and how is it different from SCWCD 1.4.


The 'b' on the end is intended to mean 'beta' - the beta version was released about 4 months ahead of the actual exam. Candidates that took the beta version were subjected to 120 or so questions which they were expected to provide useful feedback on. It is exactly the same qualification as the SCWCD (same certificate and everything), but there are even more gruelling questions, which helped me gauge the style of the new exam for my book!

I hope the Tomcat advice helped!
 
Gyan Shankar
Ranch Hand
Posts: 65
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
cool.
thanks a lot.
 
srilatha kareddy
Ranch Hand
Posts: 32
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
hi Charles,

can u provide any sample chapters of your book.
i am planning on buying it as soon as it is in market

(preparing for scwcd)
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic