Server-side  Web Programming Lecture 18:  User Authentication and Security Roles
Restricting Access to Web Resources <ul><li>May only want  some  users to be able to access certain pages </li></ul><ul><l...
Security Roles and Resources <ul><li>Define  what types of users  have access to  what types of resources </li></ul><ul><u...
Security Roles and Users <ul><li>Users  have roles </li></ul><ul><ul><li>Controls what resources and individual user has a...
User Identification <ul><li>Password-based in Tomcat  </li></ul><ul><ul><li>Not most secure method! </li></ul></ul>Tomcat ...
Defining Roles in Tomcat <ul><li>In  web.xml  file of application </li></ul><ul><ul><li>First define  roles </li></ul></ul>
Defining Roles in Tomcat <ul><li>Define  resources  those roles have access to </li></ul><ul><ul><li>Simplest method: Crea...
Defining Roles in Tomcat <ul><li><security-constraint>  tag </li></ul><ul><ul><li><web-resource-collection>  tag defines w...
Defining User Roles in Tomcat  <ul><li>For each user: </li></ul><ul><ul><li>Username and password </li></ul></ul><ul><ul><...
User Roles in tomcat-users.xml <ul><li>In  tomcat-users.xml   file: </li></ul><ul><ul><li>Define  roles  with  <role>  tag...
Defining User Roles in a Database <ul><li>Must provide information about database in  context.xml </li></ul><ul><ul><li>Su...
Defining User Roles in a Database <ul><li>Form of database tables: </li></ul>Passwords Roles donut Homer excellent Burns P...
Types of Authentication <ul><li>BASIC Password prompt generated  automatically </li></ul><ul><li>FORM Can define  own  pro...
BASIC Authentication <ul><li>Add  <login-config>  tag to web.xml </li></ul><ul><ul><li>Will continue to prompt as long as ...
FORM Authentication <ul><li>Must specify  login page  and  error page </li></ul>
FORM Authentication <ul><li>ACTION of login form must be  j_security_check </li></ul><ul><li>Must use  specific field name...
FORM Authentication
Upcoming SlideShare
Loading in …5
×

Lecture18

613 views

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
613
On SlideShare
0
From Embeds
0
Number of Embeds
4
Actions
Shares
0
Downloads
4
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Lecture18

  1. 1. Server-side Web Programming Lecture 18: User Authentication and Security Roles
  2. 2. Restricting Access to Web Resources <ul><li>May only want some users to be able to access certain pages </li></ul><ul><li>Example: Course web site </li></ul>Course Syllabus View Current Grade Take Online Quiz Set Grades Create Online Quiz Students registered for course Anyone Instructor
  3. 3. Security Roles and Resources <ul><li>Define what types of users have access to what types of resources </li></ul><ul><ul><li>Note that roles may overlap </li></ul></ul><ul><ul><li>Some roles may have access to multiple resources </li></ul></ul>Add to inventory Change prices in inventory View salaries Change salaries Inventory Role HR Role Manager Role View inventory
  4. 4. Security Roles and Users <ul><li>Users have roles </li></ul><ul><ul><li>Controls what resources and individual user has access to </li></ul></ul><ul><ul><li>A user may have multiple roles </li></ul></ul>Manager Burns Inventory, HR Smithers HR Marge Inventory Homer Role(s) User
  5. 5. User Identification <ul><li>Password-based in Tomcat </li></ul><ul><ul><li>Not most secure method! </li></ul></ul>Tomcat Resource Request for resource Response prompts for username and password Request contains username, password Sent as response if correct Error page sent as response if incorrect
  6. 6. Defining Roles in Tomcat <ul><li>In web.xml file of application </li></ul><ul><ul><li>First define roles </li></ul></ul>
  7. 7. Defining Roles in Tomcat <ul><li>Define resources those roles have access to </li></ul><ul><ul><li>Simplest method: Create subdirectory off of main application directory </li></ul></ul><ul><ul><li>Use a url pattern of the form / subdirectory /* to define secure areas </li></ul></ul><ul><ul><ul><li>/employee/* </li></ul></ul></ul><ul><ul><ul><li>/manager/* </li></ul></ul></ul>Files in here only accessible by employee role Files in here only accessible by manager role
  8. 8. Defining Roles in Tomcat <ul><li><security-constraint> tag </li></ul><ul><ul><li><web-resource-collection> tag defines what directories are restricted </li></ul></ul><ul><ul><li><auth-constraint> tag defines which roles have access </li></ul></ul>Files in this subdirectory May only be accessed by users in these roles
  9. 9. Defining User Roles in Tomcat <ul><li>For each user: </li></ul><ul><ul><li>Username and password </li></ul></ul><ul><ul><li>Role(s) they assume </li></ul></ul><ul><li>Where can they be stored? </li></ul><ul><ul><li>tomcat-users.xml file in conf directory </li></ul></ul><ul><ul><ul><li>Simple to implement </li></ul></ul></ul><ul><ul><ul><li>Difficult to manage if have thousands of users in dozens of roles </li></ul></ul></ul><ul><ul><li>Separate database </li></ul></ul>
  10. 10. User Roles in tomcat-users.xml <ul><li>In tomcat-users.xml file: </li></ul><ul><ul><li>Define roles with <role> tag </li></ul></ul><ul><ul><li>Define users with <user> tag </li></ul></ul><ul><ul><ul><li>Username, password, and roles defined </li></ul></ul></ul><ul><ul><ul><li>Roles can be list </li></ul></ul></ul>
  11. 11. Defining User Roles in a Database <ul><li>Must provide information about database in context.xml </li></ul><ul><ul><li>Subdirectory of META-INF in application directory </li></ul></ul><ul><ul><li>Add tag of form: </li></ul></ul><ul><li><Realm className=“org.apache.catalina.realm.JDBCRealm” driverName=“com.mysql.jdbc.Driver” connectionURL=“jdbc:mysql://localhost:8080/users” connectionName=“root” connectionPassword=“sesame” userTable=“Passwords” userRoleTable=“Roles” userNameCol=“Name” userCredCol=“Password” roleNameCol=“Role” /> </li></ul>Driver name URL and name of database Name and password to access database Name of tables with passwords and roles Field names: Password table uses userNameCol, userCredCol Roles table uses userNameCol, roleNameCOl
  12. 12. Defining User Roles in a Database <ul><li>Form of database tables: </li></ul>Passwords Roles donut Homer excellent Burns Password Name employee Homer manager Burns Role Name
  13. 13. Types of Authentication <ul><li>BASIC Password prompt generated automatically </li></ul><ul><li>FORM Can define own prompt and error pages </li></ul>
  14. 14. BASIC Authentication <ul><li>Add <login-config> tag to web.xml </li></ul><ul><ul><li>Will continue to prompt as long as login incorrect </li></ul></ul>
  15. 15. FORM Authentication <ul><li>Must specify login page and error page </li></ul>
  16. 16. FORM Authentication <ul><li>ACTION of login form must be j_security_check </li></ul><ul><li>Must use specific field names in login form </li></ul><ul><ul><li>Name field must be j_username </li></ul></ul><ul><ul><li>Password field must be j_password </li></ul></ul>
  17. 17. FORM Authentication

×