This week's book giveaways are in the Angular and TypeScript and Web Services forums.
We're giving away four copies each of Programming with Types and The Design of Web APIs and have the authors on-line!
See this thread and this one for details.
Win a copy of Programming with Types this week in the Angular and TypeScript forum
or The Design of Web APIs in the Web Services forum!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Liutauras Vilda
  • Bear Bibeault
  • Paul Clapham
  • Jeanne Boyarsky
Sheriffs:
  • Junilu Lacar
  • Knute Snortum
  • Henry Wong
Saloon Keepers:
  • Ron McLeod
  • Tim Moores
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
Bartenders:
  • Frits Walraven
  • Joe Ess
  • salvin francis

JSP - JDBC DataSourceRealm - Confine users to a roleName section - Tomcat 8.5

 
Greenhorn
Posts: 10
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi all!

I am playing around with a survey application
"Hello will you give us feedback on your experience" type of thing.

And i was thinking that i would try and add some security to "take the survey" section, to avoid
1. Bots filling out surveys by just browsing all thinkable URL combinations, ect.
2. If someone found an active survey for a user they cannot fill it out without the password

I was thinking i could do this with using Tomcat's DataSourceRealm with
userNameCol, userCredCol and roleNameCol.

As i understand, the roleNameCol is like a group name, to give access to a given section of your site.
Q1. Is the roleNameCol necessary for the DataSourceRealm? Or can you skip it.

Q1.2. If you can skip it, what is the downside to this?

Q2. I was thinking that i could use my survey name/ID, as the roleNameCol value, but would i than need to explicitly define all these values in my web.xml or context.xml as the
<auth-constraint>, <role-name> ? This would be manual work to keep up-to-date, and i was hoping that there would be a more dynamic (automatic) approach i could use to achieve the same thing.

Any and all advice / suggestions are most welcome.

Thanks to all in advance
Best regards.
 
Saloon Keeper
Posts: 21458
143
Android Eclipse IDE Tomcat Server Redhat Java Linux
  • Likes 2
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Realms aren't unique to the Tomcat webapp server. There's something equivalent for any J2EE/JEE-compliant webapp server. I don't know if the actual term "Realm" is part of the standard, but it's certainly common to all the appservers I've worked with.

Although in Tomcat parlance, a Realm refers to a plug-in that manages the JEE-standard Container Managed Security system.

Container Security manages access to URL paths. This is important to know, because an attacker can subvert security if they can simply find an alternate URL that can access the same resources. Case in point: in JavaServer Faces, the URL doesn't always point to the current resource - it's more of a "session handle", so you can go to page 1, jump to (secured) page 2, and get away with it, because the page 1 URL is still being used. Fortunately there's a way to avoid that, but let's leave that for the JSF forum.

Regardless of what Realm you use, all Realms provide the same services: Authentication and Authorization. Authentication is where you log in the remote user. The actual Realm authenticate() method takes 2 parameters, corresponding to the userid and password that were extracted by the webapp server (NOT the web application!) from the login dialog or login web page (depending on how you configured security in the webapp's web.xml. This method then validates the credentials and provided a simple yes/no answer. For a JDBC Realm, essentially, the authenticate() method issues a request to the database that looks something like this:

If the query returns 1, the userID and password have matched and the user is approved. A response of 0 means no match, fail the login. A response other than 0 or 1 means that the userid table has trash in it and probably wasn't defined with its userid as a UNIQUE key.

Note that by doing the above, passwords are never returned from the database to the appserver, meaning that Bad People can't simply hack into the appserver and browse for returned passwords.

Now for the authorization part. As I said, URL paths are protected by roles. A role is simply an identifier that can be assigned to a user to indicate that the user in question is allowed access. If the URL is role-protected and the user has that role, acess is permitted, otherwise it is denied. Users and roles have a many/many database relationship. A user can have multiple roles, and of course, a role may have many users. This allows a lot of flexibility because you can elevate or diminish a user's privileges on a a fine-grained basis just by adjusting the user role table. Say, for example, that Ted is a member of Department X, so he has a "departmentx" role. But Ted's boss is going out of town for 2 weeks and Ted needs to be allowed to do things that normally only Ted's boss could do. So for two weeks, you add a role entry for userid = Ted and rolename = "departmentx_manager". Then when time's up, delete that rolle entry.

One final thing to note. Since it's dangerous to have roles change in a live application, you generally have to log out and back in again when roles change.

 
Drenriza Housen
Greenhorn
Posts: 10
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi @Tim Holloway Thanks for the reply and the insight, i learned a ton!

I will think about what you have said and how i can use it to solve my login check.
 
Drenriza Housen
Greenhorn
Posts: 10
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I was thinking on how i could implement a <security-constraint> to secure a section of my site, that will require authentication and authorization.
I have tried to define this in my web.xml file



But when i navigate to survey.local/Anything i am not presented with the login page for the site.
my <login-config>


In my /META-INF/context.xml file i have my realm defined as


I was thinking that the realm would work by testing if a user with the username + password + role existed and return 'true' or 'false'


But so far i am not even presented with the login page.

Any and all advice is greatly appreciated!
Thanks in advance to all
best regards.
 
Tim Holloway
Saloon Keeper
Posts: 21458
143
Android Eclipse IDE Tomcat Server Redhat Java Linux
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Unless my memory fails, using a user-transport of None means that secure page access will NOT be done using SSL I don't think you want that.

Also:


is redundant. "/*" covers all URL patterns, including "/survey.local".

Your main failure is that to force login, you have to map roles to one or more URL patterns. Any URL that doesn't match a URL role pattern is assumed to be available to everyone, including users who have not (yet) authenticated. The server will only force a login when the user requests a role-protected URL.

Note that if you role-protect "/*" that can give you a chicken-and-egg problem if you reference any URLs on your login pages such as CSS files or images! You will usually want to be more selective. In fact, for all but the most paranoid apps, I usually have a public welcome page which is also not role-protected.

Also, you should not put userid/password and role in the same table, because roles are designed to have a many-to-many relationship with userids. You should use a separate table to define userid+role. The userid in the role table is a foreign key to the userid in the userid+password table, although it's not required to formally define that in the database schema.
 
Squanch that. And squanch this tiny ad:
Sauce Labs - World's Largest Continuous Testing Cloud for Websites and Mobile Apps
https://coderanch.com/t/722574/Sauce-Labs-World-Largest-Continuous
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!