[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[no subject]
- <!--x-content-type: text/plain -->
- <!--x-date: Tue Mar 16 09:13:01 2004 -->
- <!--x-from-r13: psbjyre ng bhgcbfgfragvary.pbz (Quevf Tbjyre) -->
- <!--x-message-id: 1079446254.21372.27.camel@devel -->
- <!--x-reference: 1079441240.21367.8.camel@devel -->
- <!--x-reference: [email protected] --> "http://www.w3.org/TR/html4/loose.dtd">
- <!--x-subject: [ale] Re: [ajug-members]: User authentication in web app -->
- <li><em>date</em>: Tue Mar 16 09:13:01 2004</li>
- <li><em>from</em>: cfowler at outpostsentinel.com (Chris Fowler)</li>
- <li><em>in-reply-to</em>: <[email protected]></li>
- <li><em>references</em>: <1079441240.21367.8.camel@devel> <[email protected]></li>
- <li><em>subject</em>: [ale] Re: [ajug-members]: User authentication in web app</li>
On Tue, 2004-03-16 at 08:58, Rob Kischuk wrote:
> I would recommend using J2EE Container Managed Security. While there
> are certain circumstances where it is inadequate, it is usually useful
> to at least authenticate your users. Most J2EE app servers are moving
> toward using JAAS to fulfill the authentication needs, meaning you can
> flexibly switch between using a flat file for your username/password to
> a database to LDAP without ever rewriting your code. Parameters can
> usually be set to add encryption to your passwords. This security
> approach also lets you switch authentication methods easily - from
> dialog boes to web based forms. A very light overview can be found
> here:
> <a rel="nofollow" href="http://java.sun.com/j2ee/tutorial/1_3-fcs/doc/Security4.html#67530";>http://java.sun.com/j2ee/tutorial/1_3-fcs/doc/Security4.html#67530</a>. If
> someone has a link to a better resource, it would be excellent.
>
> The security is declarative, meaning that you tell the servlet container
> which pages should be secure, and what "roles" should have access to
> them. In your case, it sounds like you have really only one role that
> you want to enforce, so you could simply configure your entire web app
> to be restricted to users in the role "user". Then, in your security
> database, just make sure each user is assigned this role (the structure
> of the database will vary based on your needs and app server
> requirements. For some app servers, you could probably configure the
> role query as "select 'user' from dual" and dispense with the need for a
> roles table in your DB altogether.
>
> The really nice thing here is that you don't have to check for the
> user's session - the app server will observe the resource the user us
> trying to access and notice whether it is secured. If it is, it will
> check their session to se if they're authorized to access it. If not,
> it will send them to the log in page (if they're logged in and don't
> have access, you'll get an HTTP 403 error - if you get into significant
> role management, I recommend you override the 403 error page with a
> custom page that matches your app's look and feel).
>
> As for your existing method of authentication, it is dangerous. "select
> * from users where PASSWORD like PASSWORD('value');" will allow anyone
> access so long as they specify a correct password. If the username is
> wrong, or even non-existent, a user could still gain access, because
> that query only checks to see if a matching password exists. You need
> to also match the username. In J2EE, the best way to check each request
> for a certain token would be to use a servlet filter. A filter can be
> configured to execute on all requests, or only on requests matching a
> certain pattern. Still, both of these concerns are managed by J2EE
> security, and have been carefully written and tested, so I suggest
> building on top of that.
>
> -Rob
>
> Chris Fowler wrote:
>
> >I'm trying to determine the best way to do user auth in a web
> >application. I've not done this yet inside of servlets. I've done it
> >within our CGI programs that were all written in C.
> >
> >In the past all users were stored in our special password system. This
> >was on an embedded machine. I used getpwnam() to get user data and then
> >I would get ACL data. That is just the details. To track users I would
> >auth their password against the one in the passwd system using one way
> >encryption. I then took the one way encrypted string and added it to a
> >cookie. The cookie data was 128-bit encrypted. Every time the user
> >would access a page I would then re-authenticate them with that one way
> >encrypted password that they entered on the login page. If there was no
> >match then I would redirect them to the login page. The reason I did
> >this was in the condition that the administrator changed their password
> >or rights in between pages. This was the only way I could think of how
> >to guarantee they had privs to the site.
> >
> >I want to do a similar thing in the webapp. I plan on using a table in
> >our database to store user accounts for the application. So during the
> >login phase I'll get their password and do a select on that table. I
> >could simply use the password() function in mysql like this:
> >
> >select * from users where PASSWORD like PASSWORD('value');
> >
> >If I get a row then obviously the password matched. Is this the correct
> >thing to do?
> >
> >Next question I have is on session tracking. I can then use the servlet
> >session API and then add this encrypted string to the cookie. Every
> >time the user access a page I can then do this:
> >
> >
> >select * from users where PASSWORD like PASSWORD('value');
> >
> >If I get a match then I know the user is good. Otherwise I need to
> >redirect them to the login servlet.
> >
> >This is the only way I can guarantee they have access between each page.
> >
> >Is my solution a good solution or provides too much overhead? I want to
> >keep good track of users and make sure there are no loop holes in the
> >security system.
> >
> >Thanks,
> >Chris
> >
> >
</pre>
<!--X-Body-of-Message-End-->
<!--X-MsgBody-End-->
<!--X-Follow-Ups-->
<hr>
<!--X-Follow-Ups-End-->
<!--X-References-->
<ul><li><strong>References</strong>:
<ul>
<li><strong><a name="00564" href="msg00564.html">[ale] User authentication in web app</a></strong>
<ul><li><em>From:</em> cfowler at outpostsentinel.com (Chris Fowler)</li></ul></li>
</ul></li></ul>
<!--X-References-End-->
<!--X-BotPNI-->
<ul>
<li>Prev by Date:
<strong><a href="msg00565.html">[ale] User authentication in web app</a></strong>
</li>
<li>Next by Date:
<strong><a href="msg00567.html">[ale] User authentication in web app</a></strong>
</li>
<li>Previous by thread:
<strong><a href="msg00571.html">[ale] User authentication in web app</a></strong>
</li>
<li>Next by thread:
<strong><a href="msg00597.html">[ale] User authentication in web app</a></strong>
</li>
<li>Index(es):
<ul>
<li><a href="maillist.html#00566"><strong>Date</strong></a></li>
<li><a href="threads.html#00566"><strong>Thread</strong></a></li>
</ul>
</li>
</ul>
<!--X-BotPNI-End-->
<!--X-User-Footer-->
<!--X-User-Footer-End-->
</body>
</html>