Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.



Published on

Published in: Technology
  • Be the first to comment

  • Be the first to like this


  1. 1. Server-side Web Programming Lecture 18: User Authentication and Security Roles
  2. 2. Restricting Access to Web Resources <ul><li>May only want some users to be able to access certain pages </li></ul><ul><li>Example: Course web site </li></ul>Course Syllabus View Current Grade Take Online Quiz Set Grades Create Online Quiz Students registered for course Anyone Instructor
  3. 3. Security Roles and Resources <ul><li>Define what types of users have access to what types of resources </li></ul><ul><ul><li>Note that roles may overlap </li></ul></ul><ul><ul><li>Some roles may have access to multiple resources </li></ul></ul>Add to inventory Change prices in inventory View salaries Change salaries Inventory Role HR Role Manager Role View inventory
  4. 4. Security Roles and Users <ul><li>Users have roles </li></ul><ul><ul><li>Controls what resources and individual user has access to </li></ul></ul><ul><ul><li>A user may have multiple roles </li></ul></ul>Manager Burns Inventory, HR Smithers HR Marge Inventory Homer Role(s) User
  5. 5. User Identification <ul><li>Password-based in Tomcat </li></ul><ul><ul><li>Not most secure method! </li></ul></ul>Tomcat Resource Request for resource Response prompts for username and password Request contains username, password Sent as response if correct Error page sent as response if incorrect
  6. 6. Defining Roles in Tomcat <ul><li>In web.xml file of application </li></ul><ul><ul><li>First define roles </li></ul></ul>
  7. 7. Defining Roles in Tomcat <ul><li>Define resources those roles have access to </li></ul><ul><ul><li>Simplest method: Create subdirectory off of main application directory </li></ul></ul><ul><ul><li>Use a url pattern of the form / subdirectory /* to define secure areas </li></ul></ul><ul><ul><ul><li>/employee/* </li></ul></ul></ul><ul><ul><ul><li>/manager/* </li></ul></ul></ul>Files in here only accessible by employee role Files in here only accessible by manager role
  8. 8. Defining Roles in Tomcat <ul><li><security-constraint> tag </li></ul><ul><ul><li><web-resource-collection> tag defines what directories are restricted </li></ul></ul><ul><ul><li><auth-constraint> tag defines which roles have access </li></ul></ul>Files in this subdirectory May only be accessed by users in these roles
  9. 9. Defining User Roles in Tomcat <ul><li>For each user: </li></ul><ul><ul><li>Username and password </li></ul></ul><ul><ul><li>Role(s) they assume </li></ul></ul><ul><li>Where can they be stored? </li></ul><ul><ul><li>tomcat-users.xml file in conf directory </li></ul></ul><ul><ul><ul><li>Simple to implement </li></ul></ul></ul><ul><ul><ul><li>Difficult to manage if have thousands of users in dozens of roles </li></ul></ul></ul><ul><ul><li>Separate database </li></ul></ul>
  10. 10. User Roles in tomcat-users.xml <ul><li>In tomcat-users.xml file: </li></ul><ul><ul><li>Define roles with <role> tag </li></ul></ul><ul><ul><li>Define users with <user> tag </li></ul></ul><ul><ul><ul><li>Username, password, and roles defined </li></ul></ul></ul><ul><ul><ul><li>Roles can be list </li></ul></ul></ul>
  11. 11. Defining User Roles in a Database <ul><li>Must provide information about database in context.xml </li></ul><ul><ul><li>Subdirectory of META-INF in application directory </li></ul></ul><ul><ul><li>Add tag of form: </li></ul></ul><ul><li><Realm className=“org.apache.catalina.realm.JDBCRealm” driverName=“com.mysql.jdbc.Driver” connectionURL=“jdbc:mysql://localhost:8080/users” connectionName=“root” connectionPassword=“sesame” userTable=“Passwords” userRoleTable=“Roles” userNameCol=“Name” userCredCol=“Password” roleNameCol=“Role” /> </li></ul>Driver name URL and name of database Name and password to access database Name of tables with passwords and roles Field names: Password table uses userNameCol, userCredCol Roles table uses userNameCol, roleNameCOl
  12. 12. Defining User Roles in a Database <ul><li>Form of database tables: </li></ul>Passwords Roles donut Homer excellent Burns Password Name employee Homer manager Burns Role Name
  13. 13. Types of Authentication <ul><li>BASIC Password prompt generated automatically </li></ul><ul><li>FORM Can define own prompt and error pages </li></ul>
  14. 14. BASIC Authentication <ul><li>Add <login-config> tag to web.xml </li></ul><ul><ul><li>Will continue to prompt as long as login incorrect </li></ul></ul>
  15. 15. FORM Authentication <ul><li>Must specify login page and error page </li></ul>
  16. 16. FORM Authentication <ul><li>ACTION of login form must be j_security_check </li></ul><ul><li>Must use specific field names in login form </li></ul><ul><ul><li>Name field must be j_username </li></ul></ul><ul><ul><li>Password field must be j_password </li></ul></ul>
  17. 17. FORM Authentication