Help coderanch get a
new server
by contributing to the fundraiser
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Ron McLeod
  • Paul Clapham
  • Devaka Cooray
  • Liutauras Vilda
Sheriffs:
  • Jeanne Boyarsky
  • paul wheaton
  • Henry Wong
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Tim Moores
  • Carey Brown
  • Mikalai Zaikin
Bartenders:
  • Lou Hamers
  • Piet Souris
  • Frits Walraven

Authenication of a web resource

 
Ranch Hand
Posts: 208
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi all,
I have a web resource, i specify the <auth-method> as BASIC, so whenever tries to access my page it shows him a dialog box to enter the username and the password. When the web server checks for the authenitcity of the user, where does it check ? because all my user information is database.
thanks
Harish
 
Ranch Hand
Posts: 1873
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
hi
have a llok at here
replace the use of HashTable with the database u have...
regards
maulin
 
Author
Posts: 65
5
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Maulin's link is an example of programmatic security - i.e. you have to write the whole story yourself.
When using decarative security (like you do - via deployment descriptor) the location of usernames and passwords is server specific. If you use Tomcat look for file named tomcat-users.xml in conf directory. If not, tell me which server do you use, we'll work somethig out.
BTW, try to avoid BASIC authentication. Use Form-based instead.
 
Author
Posts: 245
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
why avoid basic? form is no more secure since they both pass the username and password in plain text to the servlet.
also, you dont have to use the tomcat-users.xml file = tomcat has a JDBC Realm that allows you to authenticate against the details in the db.
 
Rancher
Posts: 13459
Android Eclipse IDE Ubuntu
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Actually, Tomcat also supports LDAP-Realms which works quite nicely (better than Websphere, anyway )
 
Baruch Sadogursky
Author
Posts: 65
5
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I would sugest to avoid BASIC for three reasons:
  • It's not simple to log out. It can be done only programmaticly, or restart browser.
  • FORM gives you the way to style your login page.
  • The information that you can pass to user using BASIC is basic Only little string for Realm. In form - the sky is the limit. Much more flexble.

  • Besides, it shouldn't be a problem to edit tomcat-users.xml programmaticly.
     
    chanoch wiggers
    Author
    Posts: 245
    • Mark post as helpful
    • send pies
      Number of slices to send:
      Optional 'thank-you' note:
    • Quote
    • Report post to moderator
    yes, but he already said that his info is on the database...
     
    Maulin Vasavada
    Ranch Hand
    Posts: 1873
    • Mark post as helpful
    • send pies
      Number of slices to send:
      Optional 'thank-you' note:
    • Quote
    • Report post to moderator
    yes. he is having database already. thats why i suggested something that can be authenticated against database.
    anyways, i am not prone to use BASIC auth i used it once. i use form base auth as well. all of them are more or less same w/ pros/cons.
    and, Baruch, I use iPlanet 4.1 as a webserver which lacks XML based configuration (so called WAR) architecture i would love to have that which is not possible for the company but thats irrelavent here.
    regards
    maulin
     
    Baruch Sadogursky
    Author
    Posts: 65
    5
    • Mark post as helpful
    • send pies
      Number of slices to send:
      Optional 'thank-you' note:
    • Quote
    • Report post to moderator
    Maulin, I'm not familiar with iPlanet, which way can you register users that would be available in deployment descriptor?
     
    Ranch Hand
    Posts: 2379
    MySQL Database Spring Java
    • Mark post as helpful
    • send pies
      Number of slices to send:
      Optional 'thank-you' note:
    • Quote
    • Report post to moderator
    If you are interested to test a basic form-based authentication, have a look at here
    [ July 09, 2002: Message edited by: Ashik uzzaman ]
     
    Ranch Hand
    Posts: 188
    • Mark post as helpful
    • send pies
      Number of slices to send:
      Optional 'thank-you' note:
    • Quote
    • Report post to moderator

    Originally posted by chanoch wiggers:
    why avoid basic? form is no more secure since they both pass the username and password in plain text to the servlet.
    also, you dont have to use the tomcat-users.xml file = tomcat has a JDBC Realm that allows you to authenticate against the details in the db.



    Can anyone provide information as to how this is done ? I need to replace a web application (Perl/CGI/Apache) which is doing authentication with a database table. I can find many examples of doing the authentication in Tomcat using tomcat-users.xml, but I am having a hard time finding any information on how you get the "j_security_check" of the login form to go to the database to do the authentication. For example how do you specify the URL/username/password for the database connection ? How do you specify the table to use, and how do you tell it which columns in the database table map to the username and password fields ?
    I am developing this application to be deployed on JBoss 3.2.3, which (I think) has Tomcat as its default web container. The database is Oracle 8i.
    Thanks in advance for any insight. Any references to online examples or tutorials will be very appreciated.

    -James
     
    James Adams
    Ranch Hand
    Posts: 188
    • Mark post as helpful
    • send pies
      Number of slices to send:
      Optional 'thank-you' note:
    • Quote
    • Report post to moderator
    It turns out that there are several good resources on the web, I just didn't look hard enough. Here are some links which look promising:
    http://www.huihoo.com/jboss/online_manual/3.0/ch13s78.html
    http://jakarta.apache.org/tomcat/tomcat-4.1-doc/realm-howto.html
    Still if anyone can answer any of the previous questions I posted in the previous post I'll certainly appreciate the feedback.

    -James
    [ April 23, 2004: Message edited by: James Adams ]
     
    Greenhorn
    Posts: 2
    • Mark post as helpful
    • send pies
      Number of slices to send:
      Optional 'thank-you' note:
    • Quote
    • Report post to moderator
    I'd recommend using Digest authentication over Form based or Basic, since it is much more secure than the plaintext authentication mechanisms. With Digest, only the MD5 hash of the password is sent over the network.
    Fluidlogic: http://www.keystonewebsystems.com/products/
    Fluidlogic ™
     
    reply
      Bookmark Topic Watch Topic
    • New Topic