• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

Question on web-app security

 
Ranch Hand
Posts: 121
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Was trying out an example based on (my understanding of) HFSJ



The roles (tomcat and role1) have been defined in tomcat-users.xml file.

I would like to know WHY/HOW does the code work (if condition passes) in the latter case while it doesnt in the former case. Thought, HFSJ says the former should work.

Would appreciate if someone could help on this.

Env: Tomcat 5.0.30/J2SE 1.4.2
 
Ranch Hand
Posts: 168
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi,

tomcat & role1 are the actual roles defined in tomcat-users.xml..where as Admin & Manager are just the logical names given by you for these role names.Tomcat will make a mapping when u give a logical name for any role..but it'll consider only the actual or real names configured in tomcat-users.xml.

hth..

Regards,
Priya.
 
Sub swamy
Ranch Hand
Posts: 121
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Agree with what you have said.

My question is, if there is a mapping (through)


then why doesn't the logical name (Admin) be recognized in the Servlet ?

Unless i explicitly, specify the roles in tomcat ("tomcat", "role1"), the if condition fails. But if i can specify it explicitly, there is no case of mapping between logical and actual roles.

My question is regarding the "mapping" - that doesnt seem to be taking place. If Container would recognize only the roles mentioned in tomcat-users.xml would

work at all ? It works as per HFSJ. For me it doesnt seem to be. Not sure what i am missing here.

Hope i am making it clear.
 
Ranch Hand
Posts: 951
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi,

I think there is mistake in DD entries. The <security-role-ref> sub-entry must go under <servlet> .... </servlet> entries. The role references are not for whole application , these are for particular servlet defination.

Thanks
 
Priya Jothi
Ranch Hand
Posts: 168
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi..

Im basically not getting the whole picture of ur ques..but let me explain to you what i understood..This <security-role-ref> stuff is similar to the <servlet>.Both elements are used for mapping an actual element to some logical name we prefer.Would like to mention the <servlet-name> present under <servlet> is just a logical name & can only be used in web.xml & nowhere outside.

To be more clear lets split ppl involved in web development into 2 categories..

1 . Developer group : will develop servlets,modify tomcat-users.xml & web.xml

2. Deployer group : Assume they are allowed to modify only web.xml..may be tomcat-users.xml if needed.but they dont have rights to modify code for servlets.

Now considering the above scenario how will the developer know(while developing servlets) what roles the deployer will map to the actual roles available?.Situations may go worse if both group belong to 2 different companies!!.Therefore only actual roles will be considered in the servlet code which is executed by the container.There is nothing to do with the mapping provided by the deployer to the servlet code which is already developed.If we think it logically it'll make sense.

Administrator in one company may be called as Manager in another company.It varies with company rules.Here developer should take care about identifying roles(generic) in the company..where as deployer is allow to map these roles(actual) with their own roles(logical)(in web.xml) according to their business rules.Hope it helps..

Revert for further clarifications!!.

Regards,
Priya.
 
Narendra Dhande
Ranch Hand
Posts: 951
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi Priya,

Let me some more clarifications what I understand.

Suppose we have one servlet MyServlet which is constarints using security mechnism. The web.xml is similar to

<servlet>
<servlet-name>MyServlet</servlet-name>
<Servlet-class>mypackage.MyServlet</servlet-class>
</servlet>

<servlet-mapping>
<servlet-name>MyServlet</servlet-name>
<url-pattern>/test/*</url-pattern>
</servlet-mapping>

<login-config>
<auth-method>BASIC</auth-method>
</login-config>

<security-role>
<role-name>tomcat</role-name>
<role-name>role1</role-name>
</security-role>


<security-constraint>
<web-resource-collection>
<web-resource-name>testSecurity</web-resource-name>
<url-pattern>/test/*</url-pattern>
<http-method>GET</http-method>
</web-resource-collection>

<auth-constraint>
<role-name>tomcat</role-name>
<role-name>role1</role-name>
</auth-constraint>
</security-constraint>

Now, we relize that the MyServlet is using some programatic security in the codes and using different roles other than tomcat and role1. i.e. Admin role is equivalent to tomcat and Manager is equivalent to role1. But our tomcat-users.xml defined only tomcat and role1. so you have to map the roles in the <servlet>.

<servlet>
<servlet-name>MyServlet</servlet-name>
<Servlet-class>mypackage.MyServlet</servlet-class>
<security-role-ref>
<role-name>Admin</role-name>
<role-link>tomcat</role-link>
</security-role-ref>

<security-role-ref>
<role-name>Manager</role-name>
<role-link>role1</role-link>
</security-role-ref>

</servlet>

<servlet-mapping>
<servlet-name>MyServlet</servlet-name>
<url-pattern>/test/*</url-pattern>


</servlet-mapping>

<login-config>
<auth-method>BASIC</auth-method>
</login-config>

<security-role>
<role-name>tomcat</role-name>
<role-name>role1</role-name>
</security-role>


<security-constraint>
<web-resource-collection>
<web-resource-name>testSecurity</web-resource-name>
<url-pattern>/test/*</url-pattern>
<http-method>GET</http-method>
</web-resource-collection>

<auth-constraint>
<role-name>tomcat</role-name>
<role-name>role1</role-name>
</auth-constraint>
</security-constraint>

When the user fired the url, the user is authenticated. depending on the username/password, it will belog to either tomcat or role1 group defined in the tomcat-users.xml.

But in the MyServlet the tomcat group will refered as either tomcat or Admin in isUserInRole method call and role1 group will refered as either role1 or Manager in isUserInRole method call.

There may be possibility that Admin and Manager groups are defined in the tomcat-users.xml, but for the MySrvlet tomcat is Admin and role1 is Manager.

Hope it help you.

Thanks
 
Priya Jothi
Ranch Hand
Posts: 168
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi Narendar,

Gr8 yaar..it is working!!.Glad that i've learnt a new thing.So far haven't tried this kinda sample.

Hi Subramanian,

Hope Narendar's prev post would have answered most of ur queries!!.

Regards,
Priya.
 
money grubbing section goes here:
a bit of art, as a gift, the permaculture playing cards
https://gardener-gift.com
reply
    Bookmark Topic Watch Topic
  • New Topic