• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Tim Cooke
  • paul wheaton
  • Jeanne Boyarsky
  • Ron McLeod
Sheriffs:
  • Paul Clapham
  • Liutauras Vilda
  • Devaka Cooray
Saloon Keepers:
  • Tim Holloway
  • Roland Mueller
Bartenders:

Custom JDBC realm authentication

 
Ranch Hand
Posts: 424
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I am having an issue to do a custom JDBC realm secure-login authentication, which container-based implementation may not satisfy.
But I m not very sure on the way to go.

The application is a JSF-based web app currently configured to container(Tomcat) declarative security.

1- login, register forms in the index page, should guarantee sufficient security in transmition.
*index page should preferably not use HTTS* and also need to digest passwords before authenticating DB.

2- should still use container-based implementations in other cases through out the application.

3- maintain container-based declarative security.

4- should handle remember me feature.
 
Rancher
Posts: 43081
77
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Using HTTPS is largely independent of using authentication. The application will need to create appropriate absolute URLs with the desired protocol, though.

You can't really embed a login form within some other page when using container-managed security. The container will redirect to the login form if a protected resource is accessed and the user wasn't authenticated yet.

While it's possible to extend the Tomcat-provided realm implementations through subclassing, I'm not sure if that'd be sufficient to implement something like persistent login cookies; I suspect not. (Note that the JDBC realm already supports digested passwords.)

These various shortcomings are the reason many folks shy away from container-managed authentication and implement their own login modules instead. It's not that hard, and can be used over and over in other web apps later.
 
ahmed yehia
Ranch Hand
Posts: 424
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Ulf Dittmer wrote:Using HTTPS is largely independent of using authentication. The application will need to create appropriate absolute URLs with the desired protocol, though.


If you could please elaborate on this and how HTTPS is independent of using authentication. I have seen many popular web sites, including our Ranch that do not use HTTS in their login window, it seems interesting. What could be other options though.

Also I have searched available security frameworks, to see if any can satisfy my mentioned requirements.
Taking a high-level overview. Cocoon for example.

Also folks around talk about extending the container-managed authentication and do their own; like you said.
This might be an option to go by. But it still not a trivial matter to decide the way to go.
 
Ulf Dittmer
Rancher
Posts: 43081
77
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

If you could please elaborate on this and how HTTPS is independent of using authentication.


Not sure what you're asking. You can use HTTPS with or without authentication. You can use authentication with or without HTTPS. The two don't really have anything to do with each other.

Cocoon for example.

Are you talking about the XML publishing framework? What does that have to do with any security aspects?

Also folks around talk about extending the container-managed authentication and do their own; like you said. This might be an option to go by. But it still not a trivial matter to decide the way to go.


Personally, I've long since stopped using container-managed security. It's just not flexible and powerful enough for my purposes. My own login module does everything I need it to do, and does it exactly the way I want it done :-)

If you're interested in extending an existing realm implementation, check out this article I wrote for the JavaRanch Journal. It has an example of such a beast in the section "Integration with Tomcat Realms".
 
ahmed yehia
Ranch Hand
Posts: 424
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

You can use authentication with or without HTTPS. The two don't really have anything to do with each other.


What I want to know here, is that if we don't use HTTS to transmit user authentication info, then what are other options are available for use in a web app.
Also, how much security we can obtain when using HTTS or other methods, in order to achieve a robust security system, with focus mostly on user Authentication.

Cocoon for example.


Thats the one I found. Authentication Framework

this article


Interesting! although the subject is mainly WS, its useful. Thank you.

 
Ulf Dittmer
Rancher
Posts: 43081
77
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

What I want to know here, is that if we don't use HTTS to transmit user authentication info, then what are other options are available for use in a web app.
Also, how much security we can obtain when using HTTS or other methods, in order to achieve a robust security system, with focus mostly on user Authentication.


HTTPS is used for encrypted web traffic, not for authentication. For authentication you have BASIC, DIGEST, FORM and CERTIFICATE. But those have nothing to do with HTTPS.

Whether web traffic needs to be encrypted, or whether it needs to be authenticated, are two unrelated questions, with unrelated solutions.
 
ahmed yehia
Ranch Hand
Posts: 424
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

HTTPS is used for encrypted web traffic, not for authentication. For authentication you have BASIC, DIGEST, FORM and CERTIFICATE.


Per my understanding, HTTPS is used to protect data in transmission, and Form based authentication
which is widely used all across the internet, has the least security features (i.e no data encryption)
hence web traffic is exposed to vulnerability.

What I want to know is that if we use HTTPS for login forms, would that be sufficient to grant security, I suspect its not always the case.
And if we don't use HTTPS, what could be alternatives to achieve that goal.





 
Ulf Dittmer
Rancher
Posts: 43081
77
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
It doesn't make sense to say "authentication has the least security features" - it solves part of the security problem. HTTPS solves a different part.

And no, using HTTPS by itself does not make a form secure. There are any number of ways in which the form could still be insecure (think about XSS or SQL-injection attacks).

It all depends on what you're trying to guard against. There are scenarios in which HTTPS wouldn't be as useful as other security measures, and there are scenarios in which it would be indispensable.

So before thinking about what security measures to put in place, you need to think about what you're trying to protect, and which kinds of attacks you're trying to guard against. An analysis of the risks the application faces, and the potential cost of those risks would be part of that.
 
ahmed yehia
Ranch Hand
Posts: 424
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Thank you Ulf


 
I like tacos! And this tiny ad:
Smokeless wood heat with a rocket mass heater
https://woodheat.net
reply
    Bookmark Topic Watch Topic
  • New Topic