Authentication and Security
Joshua Scotton


Sessions
Login and Authentication
Tracking the User

Cookies
◦ Store a unique identifier in a cookie for the website

URL Rewriting
◦ Append a unique identifier to the end of each URL

Hidden Form Fields
◦ <INPUT
TYPE="HIDDEN" NAME="session" VALUE="...">

Customization
◦ Adaptive Content
◦ Adaptable Content

Security
◦ Restrict areas of the site based on user
◦ User login tracked using session

User Behaviour
◦ Track page accesses

User Information
◦ Store user settings and information







getAttribute(), getAttributeNames(), setAttribute(), removeAttribute()
◦ These methods are used to set, get and remove objects from a user
session
getId()
◦ Every session created by the server has a unique 'id' associated with it in
order to identify this session from other sessions.
getCreationTime()
◦ Simple returns a long value indicating the date and time this session was
created.
getLastAccessedTime()
◦ Returns a long value indicating the last time user accessed any resource
on this server.
getMaxInactiveInterval(), setMaxInactiveInterval()
◦ Return and set the maximum inactive interval in seconds for this session
respectively.
isNew()
◦ Returns a boolean value indicating if the session is new.
invalidate()
◦ Simply invalidates a session. Can be used for logout

Most Java servers will use cookies if the
browser supports them, but automatically
revert to URL-rewriting when cookies are
unsupported or explicitly disabled.


Sessions can be accessed and managed by
both Servlets and JSPs.
This can happen in combination as in the
following demo.
public class CounterBean implements Serializable {
private Integer count;
public CounterBean() {
super();
this.count = 0;
}
public Integer getCount() { return this.count; }
public void setCount(Integer count) {
this.count = count; }
public void incrementCount() { this.count++; }
}
<jsp:useBean id="counter"
class="webdev.examples.sessions.CounterBean"
scope="session"/>
<p>
The counter was: <%= counter.getCount() %>
</p>
<% counter.incrementCount(); %>
<p>
The counter is now: <%= counter.getCount() %>
</p>
PrintWriter out = response.getWriter();
HttpSession session = request.getSession(true);
CounterBean counter;
if(session.isNew()) {
counter = new CounterBean();
session.setAttribute("counter", counter);
}
counter =
((CounterBean)session.getAttribute("counter"));
counter.incrementCount();
out.println("Counter now: " + counter.getCount());
out.close();
Allowing Persistent Storage
1.
2.
3.
A user accesses a protected page
If the user is authenticated and has
permission to access the page then the
resource is made available. Otherwise a
login page is shown
If the name and password cannot be
authenticated then an error is shown



User/Group Database
Access Control List (ACL)
Login Page




A Principal is a named entity, commonly
representing an individual or corporation.
Principal’s can fill one or more Roles.
Resources can be protected by associating
them with Roles.
Principals and Roles are similar to Users and
Groups in Linux.
<web-app> ...
<security-constraint>
<web-resource-collection>
<web-resource-name>Protected Page</web-resource-name>
<url-pattern>
/secretPage.jsp
</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>employee</role-name>
</auth-constraint>
</security-constraint>
<security-role>
<role-name>employee</role-name>
</security-role>
<web-app>


<url-pattern>/members/*</url-pattern>
More than one url-pattern in the webresource-collection

Principal getUserPrincipal()
◦ Returns a reference to a java.security.Principal

boolean isUserInRole(String)
◦ Determines whether a user is in a role, specified by
the string argument

String getRemoteUser()
◦ Returns the username that was used for login

String getAuthType()
◦ Returns the authentication type: BASIC, SSL, or null

boolean isSecure()
◦ Returns true if the connection is HTTPS

String getScheme()
◦ Scheme represents transport mechanism: http,
https...




Basic authentication
Form-based authentication
Digest authentication
SSL and client certificate authentication
<web-app>
...
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>Basic Authentication
Example</realm-name>
</login-config>
...
</web-app>



A realm is a database of usernames and
passwords
It also contains a list of roles associated with
each user
Realms are specific to the server being used






JDBCRealm - Accesses authentication information stored in a
relational database, accessed via a JDBC driver.
DataSourceRealm - Accesses authentication information stored
in a relational database, accessed via a named JNDI JDBC
DataSource.
JNDIRealm - Accesses authentication information stored in an
LDAP based directory server, accessed via a JNDI provider.
UserDatabaseRealm - Accesses authentication information
stored in an UserDatabase JNDI resource, which is typically
backed by an XML document (conf/tomcat-users.xml).
MemoryRealm - Accesses authentication information stored in an
in-memory object collection, which is initialized from an XML
document (conf/tomcat-users.xml).
JAASRealm - Accesses authentication information through the
Java Authentication & Authorization Service (JAAS) framework.



<Realm className="... class name for
this implementation" ... other
attributes for this implementation
.../>
Serverwide - conf/server.xml
Per Webapp – META-INF/context.xml
<?xml version="1.0" encoding="UTF-8">
<Context>
<Realm
className="org.apache.catalina.realm.MemoryRealm"
/>
</Context>

$TOMCAT_HOME/conf/tomcat-users.xml
<tomcat-users>
<role rolename="tomcat"/>
<role rolename="role1"/>
<user username="tomcat" password="tomcat“
roles="tomcat"/>
<user username="both" password="tomcat“
roles="tomcat,role1"/>
<user username="role1" password="tomcat“
roles="role1"/>
</tomcat-users>



members.jsp
web.xml
context.xml
<p>User '<%= request.getRemoteUser() %>'
has been logged out.</p>
<% session.invalidate(); %>
1.
2.
3.
4.
5.
6.
7.
The login form associated with the security constraint is
sent to the client and the URL path triggering the
authentication is stored by the container.
The user is asked to fill out the form, including the
username and password fields.
The client posts the form back to the server.
The container attempts to authenticate the user using
the information from the form.
If authentication fails, the error page is returned using
either a forward or a redirect, and the status code of the
response is set to 200.
If authentication succeeds, the authenticated user's
principal is checked to see if it is in an authorized role
for accessing the resource.
If the user is authorized, the client is redirected to the
resource using the stored URL path.

Create custom login page with the following
form fields:
◦ j_username
 The name of the username field
◦ j_password
 The name of the password field
◦ j_security_check
 The login form's action
<form method='post' action='j_security_check'>
<input type='text' name='j_username'>
<input type='password' name='j_password'>
</form>
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>
/login.jsp
</form-login-page>
<form-error-page>
/error.jsp
</form-error-page>
</form-login-config>
</login-config>




Use a JDBC Database Realm
Create table of usernames and passwords
Create table of usernames and roles
Column name for the username must be the
same in both tables










connectionName
connectionPassword
connectionURL
driverName
roleNameCol
userCredCol
userNameCol
userRoleTable
userTable
http://tomcat.apache.org/tomcat-3.3doc/JDBCRealm-howto.html