• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

Best Security Setup?

 
Ranch Hand
Posts: 166
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi,

I want to check with the experts to make sure that I'm going down the right route for security purposes.

Requirements;

- 3x logged in user groups each with access to their own set of pages, /user-group-1/*, /user-group-2/* and /user-group-3/*
- All users to login at /login/, or alternatively, /login-group-1/, etc.
- Need to be able to style the login page as a JSP
- All usernames / passwords stored in the database
- Redirect the user to a single /login/ page if they try to access a restricted URL

Thoughts so far;

So after doing an enormous amount of reading on the topic both in multiple books and online, I have come to the conclusion that this is an extremely under-documented setup. The usual methods of authentication, BASIC, FORM etc. only appear to work if you have all usernames / passwords stored in the tomcat-users.xml file which is no good for scalable applications.

As such, this essentially leaves only one option which is to use sessions and session attributes to track what user group is logged in, their username and everything else can then work as normal with the servlets as all functionality can run off these two pieces of information to ensure that no-one can access anything they shouldn't be doing. The current setup that is in place on the project and appears to be working as expected is as follows;

- URL Filter in web.xml which automatically fires off users to UserGroup1Filter etc. if they try and access /user-group-1/* pages when their session information isn't present
- Single login JSP
- Single login submit servlet, which connects to the database to decide which group this username / password belongs to and makes sure that these details are correct before forwarding the user on
- For access to restricted pages, assuming the session information is valid, all functionality to behave running off this data. For example, getMyProfileDetails.java would take an input of "username" which has been pulled from the session.

The question being, is this the only solution to this problem? If not, what alternatives are there? And if so, is this method 100% secure to ensure that it is not possible for someone else to hijack someones session by somehow spoofing their username when sending session information to the server?

The application needs to extremely secure and scalable, hence the requirements above.

Would be interested in hearing your thoughts on the topic.


Regards


 
Ranch Hand
Posts: 417
Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hello,

You seem on the right track! What you describe is basically the setup we use. URL and LoginCheck (credential) filter. The user id is kept in the httpsession on the server and never goes to the browser in any form; cookies, or in html. Be careful never to allow the browser to submit an internal (database) userid and take authentication action based on that.

We also use UUID for userid instead of incremented in sequence int just in case although you can definitively not rely on that for security.

As for spoofing session information. Do not put anything in cookies. The cookie will only contain the jsp session id generated by your server which is theoretically impossible to guess. So no session information will be sent to the browser and the browser won't send any session information to the server, that would be considered bad practice.
 
Michael Cropper
Ranch Hand
Posts: 166
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Perfect, thanks AJ. Good to know we're on the right track with everything :-)
 
reply
    Bookmark Topic Watch Topic
  • New Topic