Win a copy of Kotlin in Action this week in the Kotlin forum!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic

Access to restricted pages via login page  RSS feed

 
Kristofer Hindersson
Greenhorn
Posts: 25
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi,

As a part of a assignment we're supposed to implement a user login to restricted pages. Now I know that you're supposed to use j_security_check or configure security realms on your application server for this kind of problem but I was wondering whether it would pe possible to put the restricted xhtml-pages inside the WEB-INF folder and give access to these programatically via the application's own classes (controllers or managed beans), i.e. would it be possible to do something like this:



With a setup like this:


...Or will something like this not work at all?

I would appreciate any suggestions on better ways (maybe you can do this kind of thing directly inside a JSF 2 tag?) of solving this that doesn't involve hacking xml-files or setting up security realms and stuff like that.

/Kristofer
 
Tim Holloway
Bartender
Posts: 18709
71
Android Eclipse IDE Linux
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
No. The j_security_check mechanism never goes to the web application. It's managed by the webapp server (Tomcat, WebSphere or whatever). You do not write any authentication code. Instead the server detects secured pages by matching the incoming request URLs against the secured patterns defined in web.xml. If a secured URL is requested and the user is not authenticated, the container takes over and attempts to authenticate the user. If authentication succeeds, the originally-requested URL is passed to the webapp. If not, the URL "bounces" and the webapp never sees it at all. This makes it much harder for hackers, since they cannot exploit application flaws to get past security. Security is the gatekeeper to the app, and if the gatekeeper rejects a request, the app never knows it came in.

In a related vein, if you look at the J2EE security services, you'll notice that there is no "getRole()" method. There are 2 reasons for this.

1. J2EE security permits a user to hold more than one role at a time. That allows more flexibility.

2. Good security never volunteers. You can't go on a "treasure hunt" to see what roles a user has. You can check to see if a user participates in a particular role, but that means you have to know (or suspect) that the role exists. You won't get any "freebies".
 
Kristofer Hindersson
Greenhorn
Posts: 25
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thank you for your reply but I'm afraid you may have misunderstood my question: I was wondering whether it would be possible to create my own authetication control by utilizing the fact that pages placed inside the WEB-INF folder are not accesible directly through a web browser. My idea was that I could somehow give access to these restricted pages programmatically via a method in a managedbean(?) if a user checked out against the corresponding users-table in the database. My reason for wanting to do this is that I find the whole concept of setting up a jdbcrealm unintuitive and I don't like the constraints it places on my table design. Also I dislike having to mess around with xml-files.
 
Tim Holloway
Bartender
Posts: 18709
71
Android Eclipse IDE Linux
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
The technical term for "Do it Yourself Security System" is "Massive Security Hole".

I've worked with webapps since before JSPs were invented and seen a LOT of DIY security systems over those years, including at financial institutions and military installations. Not ONE of them could stand up to more than 15 minutes of work by any halfway competent hacker and most of them would buckle like wet cardboard in under 5. The really bad ones would fail on the first URL request.

I've got a very long list of reasons why it's far better to use a professionally-designed security system such as the one that comes with J2EE but the long and short of it is that unless you've got formal training in the mathematics and methods of security AND can devote full time to the effort, your webapp is toast. Fiddling around with 4-5 lines of XML to take advantage of a pre-debugged, well-documented, well-tested security framework is a fairly small price to pay, I think.

There's nothing very restrictive about the jdbc realm. You need 2 tables. One with userid/password, one that maps userids to roles, since there's a 0..n relationship for roles and therefore role cannot be a single column in the user table. The Realm module doesn't force you to use specific table names or column names and it doesn't care about any other columns present in those tables.

But no. Short of redesigning the webapp server, you cannot use j_security_check yourself. It's used by the appserver as a routing code to dispatch the authentication credentials to the configured Realm's authentication method. You cannot make anything under WEB-INF visible via a URL. The closest you could get would be to have an externally visible logic resource such as a servlet retrieve the resource under WEB-INF and present it to the client. Which brings up yet another reason why this isn't a good idea. Desgining, implementing, debugging and maintaining DIY security systems is expensive. And explaining why your clever solution got cracked can be pretty expensive, too, if you're supposed to be securing critical enterprise resources. Or, for that matter, can be exploited to gain access to apps that do attempt to keep critical enterprise resources secure.
 
Kristofer Hindersson
Greenhorn
Posts: 25
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
After three days of trying to get jdbcrealm working on Glassfish I give up. I've checked out every tutorial I can find and I've followed the prescribed steps in the Glassfish admin console help section and absolutely nothing happens when I attempt to access secured pages (i.e. no authorization takes place). I've set the monitoring to HIGH for security and the only messages I get is that of the successfull creation of the jdbcrealm. I get no error messages whatsoever. Most frustrating experience to date. -.-'
 
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!