• Like
Lecture18
Upcoming SlideShare
Loading in...5
×
Uploaded on

 

More in: Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
402
On Slideshare
0
From Embeds
0
Number of Embeds
0

Actions

Shares
Downloads
4
Comments
0
Likes
0

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. Server-side Web Programming Lecture 18: User Authentication and Security Roles
  • 2. Restricting Access to Web Resources
    • May only want some users to be able to access certain pages
    • Example: Course web site
    Course Syllabus View Current Grade Take Online Quiz Set Grades Create Online Quiz Students registered for course Anyone Instructor
  • 3. Security Roles and Resources
    • Define what types of users have access to what types of resources
      • Note that roles may overlap
      • Some roles may have access to multiple resources
    Add to inventory Change prices in inventory View salaries Change salaries Inventory Role HR Role Manager Role View inventory
  • 4. Security Roles and Users
    • Users have roles
      • Controls what resources and individual user has access to
      • A user may have multiple roles
    Manager Burns Inventory, HR Smithers HR Marge Inventory Homer Role(s) User
  • 5. User Identification
    • Password-based in Tomcat
      • Not most secure method!
    Tomcat Resource Request for resource Response prompts for username and password Request contains username, password Sent as response if correct Error page sent as response if incorrect
  • 6. Defining Roles in Tomcat
    • In web.xml file of application
      • First define roles
  • 7. Defining Roles in Tomcat
    • Define resources those roles have access to
      • Simplest method: Create subdirectory off of main application directory
      • Use a url pattern of the form / subdirectory /* to define secure areas
        • /employee/*
        • /manager/*
    Files in here only accessible by employee role Files in here only accessible by manager role
  • 8. Defining Roles in Tomcat
    • <security-constraint> tag
      • <web-resource-collection> tag defines what directories are restricted
      • <auth-constraint> tag defines which roles have access
    Files in this subdirectory May only be accessed by users in these roles
  • 9. Defining User Roles in Tomcat
    • For each user:
      • Username and password
      • Role(s) they assume
    • Where can they be stored?
      • tomcat-users.xml file in conf directory
        • Simple to implement
        • Difficult to manage if have thousands of users in dozens of roles
      • Separate database
  • 10. User Roles in tomcat-users.xml
    • In tomcat-users.xml file:
      • Define roles with <role> tag
      • Define users with <user> tag
        • Username, password, and roles defined
        • Roles can be list
  • 11. Defining User Roles in a Database
    • Must provide information about database in context.xml
      • Subdirectory of META-INF in application directory
      • Add tag of form:
    • <Realm className=“org.apache.catalina.realm.JDBCRealm” driverName=“com.mysql.jdbc.Driver” connectionURL=“jdbc:mysql://localhost:8080/users” connectionName=“root” connectionPassword=“sesame” userTable=“Passwords” userRoleTable=“Roles” userNameCol=“Name” userCredCol=“Password” roleNameCol=“Role” />
    Driver name URL and name of database Name and password to access database Name of tables with passwords and roles Field names: Password table uses userNameCol, userCredCol Roles table uses userNameCol, roleNameCOl
  • 12. Defining User Roles in a Database
    • Form of database tables:
    Passwords Roles donut Homer excellent Burns Password Name employee Homer manager Burns Role Name
  • 13. Types of Authentication
    • BASIC Password prompt generated automatically
    • FORM Can define own prompt and error pages
  • 14. BASIC Authentication
    • Add <login-config> tag to web.xml
      • Will continue to prompt as long as login incorrect
  • 15. FORM Authentication
    • Must specify login page and error page
  • 16. FORM Authentication
    • ACTION of login form must be j_security_check
    • Must use specific field names in login form
      • Name field must be j_username
      • Password field must be j_password
  • 17. FORM Authentication