Hi,
I want to check with the experts to make sure that I'm going down the right route for security purposes.
Requirements;
- 3x logged in user groups each with access to their own set of pages, /user-group-1/*, /user-group-2/* and /user-group-3/*
- All users to login at /login/, or alternatively, /login-group-1/, etc.
- Need to be able to style the login page as a
JSP
- All usernames / passwords stored in the database
- Redirect the user to a single /login/ page if they try to access a restricted URL
Thoughts so far;
So after doing an enormous amount of reading on the topic both in multiple books and online, I have come to the conclusion that this is an extremely under-documented setup. The usual methods of authentication, BASIC, FORM etc. only appear to work if you have all usernames / passwords stored in the tomcat-users.xml file which is no good for scalable applications.
As such, this essentially leaves only one option which is to use sessions and session attributes to track what user group is logged in, their username and everything else can then work as normal with the
servlets as all functionality can run off these two pieces of information to ensure that no-one can access anything they shouldn't be doing. The current setup that is in place on the project and appears to be working as expected is as follows;
- URL Filter in web.xml which automatically fires off users to UserGroup1Filter etc. if they try and access /user-group-1/* pages when their session information isn't present
- Single login JSP
- Single login submit servlet, which connects to the database to decide which group this username / password belongs to and makes sure that these details are correct before forwarding the user on
- For access to restricted pages, assuming the session information is valid, all functionality to behave running off this data. For example, getMyProfileDetails.java would take an input of "username" which has been pulled from the session.
The question being, is this the only solution to this problem? If not, what alternatives are there? And if so, is this method 100% secure to ensure that it is not possible for someone else to hijack someones session by somehow spoofing their username when sending session information to the server?
The application needs to extremely secure and scalable, hence the requirements above.
Would be interested in hearing your thoughts on the topic.
Regards