• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

Tips on form-based authetication

 
Ranch Hand
Posts: 73
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi,

I have the following scenario (requirement in the specification).

I have implemented a web interface to create a new user in the system. Now each user can have different roles which can be selected by HTML checkboxes.
The fact is that each role (checkbox) specifies which jsp pages in the system can be accessed.
E.g. if the checkbox with the role "0" is selected the user can "view" the tools.jsp and tools2.jsp pages.
if the checkbox with the role "1" is selected then the user can "view" users.jsp.
If both checkboxes "0" and "1" are selected then the authenticated user can view tools.jsp, tools2.jsp and users.jsp.

In my database I have a users table which is used to retrieve the role. I only have 1 column in the database for the role.
What is the best way to implement this scenario?
Shall I assign different role names for each possible value e.g. checkbox1 selected and checkbox2 unselected = 0, checkbox1 unselected and checkbox2 selected = 1, checkbox1 unselected and checkbox2 unselected = 2, etc.?

Thanks for any advice and help.
 
Greenhorn
Posts: 9
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

From your scenario, You can have two roles and in the JSP's you can validate.
You can also create 3 different roles, but later incase if you modify the roles of the user, you'll have to update the tables.

So Solution 1, should be simpler.
 
Ranch Hand
Posts: 249
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hey there.... I guess may be the binary system can come to your rescue.
You said you have 3 check boxes right ? and a single field in the database table to store the value...
How about this ->

000 - 0
001 - 1
010 - 2
011 - 3
100 - 4

...and so on.....

Dawn
 
Viv Singh
Ranch Hand
Posts: 73
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I solved it using the "binary system".

I have a question about the security configuration in the web.xml now:

The system contains 8 roles (2^3) as I have three "types" of resources.

000 - Role: 0
001 - Role: 1
010 - Role: 2
011 - Role: 3
100 - Role: 4
101 - Role: 5
110 - Role: 6
111 - Role: 7

Now I did the following in the web.xml:



(This does not show all the pages, just a part of it).

E.g. the user with the roles either 4 or 5 or 6 or 7: should be able to see/access the following:
portal/index.jsp, portal/logout.jsp, portal/page1.jsp, portal/page2.jsp and portal/page3.jsp

Is this the correct way of implementing the security, or do I have to specifiy the constraint of each type of role seperate?

thanks in advance.
 
ranger
Posts: 17347
11
Mac IntelliJ IDE Spring
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Personally, I have always hated the binary solution to solve problems like this. Mostly because of maintenance issues. Lets say a new role gets added, lets say you get a new developer and you are no longer there. They now have to go and try and figure out what was done.

Also, having individual names for each role is so much easier to understand and therefore maintain.

Maintenance is the #1 most expensive part of software development, so anytime you can use a simpler cleaner solution the better.

My 2 cents.

Mark
 
Viv Singh
Ranch Hand
Posts: 73
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Mark Spritzler wrote:Personally, I have always hated the binary solution to solve problems like this. Mostly because of maintenance issues. Lets say a new role gets added, lets say you get a new developer and you are no longer there. They now have to go and try and figure out what was done.

Also, having individual names for each role is so much easier to understand and therefore maintain.

Maintenance is the #1 most expensive part of software development, so anytime you can use a simpler cleaner solution the better.

My 2 cents.

Mark



Thanks. Could you suggest any other solution?
 
Viv Singh
Ranch Hand
Posts: 73
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I am having problem with specifying the security controls:

I have 6 roles in the system 1,2,3,...6.

index.jsp and logout.jsp should be accessible for all roles.
Whereas other resources are restricted.

I did the following:



However, this is not working. E.g. if i have a user with the role 7 and I try to access users.jsp I get the 405 error.

Any help will be appreciated.
 
Mark Spritzler
ranger
Posts: 17347
11
Mac IntelliJ IDE Spring
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Well, I use Spring MVC and Spring Security, so I just have roles with more descriptive names, and then I just have a configuration file that defines my security on pages, so I can put in a URL in the configuration and say that you must have any one of a comma seperated roles.

You can check out the Security documentation out at www.springframework.org

Mark
 
Viv Singh
Ranch Hand
Posts: 73
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi,

I wont be able to use the spring framework.

Am I doing something wrong in my web.xml where I define the security rules?

E.g. If the user with the role 7 tries to access porta/users.jsp I get the 403 (HTTP Status 403 - Access to the requested resource has been denied) error but if the user with the role 7 tries to access statistics.jsp it works perfectly fine.

Any help or suggestions will be appreciated.
reply
    Bookmark Topic Watch Topic
  • New Topic