• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

Tracking users and user security

 
Ranch Hand
Posts: 323
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Not sure how to write a good title for this.

I'm writing a registration app. So far I have where the users can register themselves. It works great and stores the data in a db using Hibernate.

Now what I'd like to do is have users be able to log in and update their data. However, I'm not really sure how to configure this to be secure and make sure that people don't start editing other users data.

Am I going to have to set a cookie? Is this the best way to handle it?
 
Ranch Hand
Posts: 107
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Since you have a login module, doesn't it require a password?

If yes, that should act as a security layer. Am I missing something?
 
Ranch Hand
Posts: 2458
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Make use of container managed security (lookup JAAS and/or Realm in the documentation provided along the appserver) and/or a simple Filter which checks the presence of the logged in User and handle the request/response accordingly.
 
Sunil Vasudevan
Ranch Hand
Posts: 107
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
My bad.. You mentioned you need to create a login module.

During user registration, have the user provide a password too.
 
Bai Shen
Ranch Hand
Posts: 323
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I already have a password setup in the registration section.

I'm just trying to figure out how to track the user through the rest of the app once they're registered.

Not sure how to set up the container managed security. I'm using Tomcat as my app server if that helps.
 
Sheriff
Posts: 67746
173
Mac Mac OS X IntelliJ IDE jQuery TypeScript Java iOS
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
A typical scenario is that the business layer needs to know which user is "logged in" and makes sure that the user has the ability to perform the operation.

Thus each business layer operation gets passed the current user and does a check for permissions or scope or whatever determines whether the request is valid prior to actually doing something.

In the system I an currently working on, we do both. We have a permissions structure that defines what a user is allowed to do, and scoping to determine what the user is allowed to do those operations to.

This is not generally something tacked on in the UI layers. Your business layer needs to be set up to handle this.
 
Bai Shen
Ranch Hand
Posts: 323
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Bear Bibeault wrote:A typical scenario is that the business layer needs to know which user is "logged in" and makes sure that the user has the ability to perform the operation.

Thus each business layer operation gets passed the current user and does a check for permissions or scope or whatever determines whether the request is valid prior to actually doing something.

In the system I an currently working on, we do both. We have a permissions structure that defines what a user is allowed to do, and scoping to determine what the user is allowed to do those operations to.

This is not generally something tacked on in the UI layers. Your business layer needs to be set up to handle this.



Um, I never mentioned anything about the UI layers. I'm just trying to figure out how to determine who's logging in so that I can use my business logic to determine their permissions. Most of my coding has been desktop apps, so I'm not sure how to make this work using a web servlet.
 
Bear Bibeault
Sheriff
Posts: 67746
173
Mac Mac OS X IntelliJ IDE jQuery TypeScript Java iOS
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Well, I assume that your users are logging in and interacting with the system via the UI.

What are you using for authentication? I never seem to find the container-managed stuff versatile enough for my needs, so I always set up my own. Basically, when a user logins in, a token is place in the session. This token, which is used to identify not only that a user is logged in, but which one, is passed to each business layer operation, whose job it is to validate the permissibility of the operation before carrying it out.
 
Bai Shen
Ranch Hand
Posts: 323
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Bear Bibeault wrote:Well, I assume that your users are logging in and interacting with the system via the UI.

What are you using for authentication? I never seem to find the container-managed stuff versatile enough for my needs, so I always set up my own. Basically, when a user logins in, a token is place in the session. This token, which is used to identify not only that a user is logged in, but which one, is passed to each business layer operation, whose job it is to validate the permissibility of the operation before carrying it out.



Right now, I'm not using anything for authentication. That's my problem.

I have a registration page that saves the users data to a database.

What I want to do is then authenticate them based on the username/password in the database. That's why I'm trying to figure out how to track them across the system. My original plan was to write a login servlet, but then I didn't have a method to keep track of which user I was dealing with in any of the other servlets.
 
Bauke Scholtz
Ranch Hand
Posts: 2458
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Either make use of JAAS/Realm to let the container handle it completely, or take it in your hands by just placing the from the DB obtained User object in HttpSession yourself. The rest of your application can just intercept on that, if need be by a simple Filter.
 
Bear Bibeault
Sheriff
Posts: 67746
173
Mac Mac OS X IntelliJ IDE jQuery TypeScript Java iOS
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Ah! Yes.

For authentication itself, we store the users and passwords in the database (encrypted passwords). When a user logs in, he is authenticated and if successful the user information is stored in a session-scoped variable.

For each authenticated page, a servlet filter checks if the session info is there. If not, it forces authentication. Redirecting to a login page is easiest (I'm doing something a little more sophisticated with Ajax, but that's another show).

Upon logging out (or session timeout), the session info is eradicated.

This means that for each operation that requires a user, the user info can be obtained from the session and passed to the business layer.
 
Bai Shen
Ranch Hand
Posts: 323
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Okay, not to be too obtuse, but how do I store the user data in a session variable?
 
Bauke Scholtz
Ranch Hand
Posts: 2458
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
HttpSession#setAttribute().

Learn to find, read and understand the API, luke: javax.servlet.http.HttpSession.
 
Bai Shen
Ranch Hand
Posts: 323
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Bauke Scholtz wrote:HttpSession#setAttribute().

Learn to find, read and understand the API, luke: javax.servlet.http.HttpSession.



I know how to read and understand the API. I just wasn't sure what I was looking for. I'm still getting used to the way servlets work.
 
Bai Shen
Ranch Hand
Posts: 323
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
BTW, how secure are session variables? Are they something that can be read/changed in the browser? Or can I just set a variable to the user's name(which is unique) and then be assured that it wasn't tampered with?
 
Bauke Scholtz
Ranch Hand
Posts: 2458
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
It is stored entirely on the server side. All what the client have with regard to the session is a simple cookie referenceing the session ID or the jsessionid addendum in the URL. So it's secure enough. You have full control over what you get/set in the session. After all it depends on the robustness of the code you write yourself.
 
Bai Shen
Ranch Hand
Posts: 323
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Bauke Scholtz wrote:It is stored entirely on the server side. All what the client have with regard to the session is a simple cookie referenceing the session ID or the jsessionid addendum in the URL. So it's secure enough. You have full control over what you get/set in the session. After all it depends on the robustness of the code you write yourself.



Ah, okay. I wasn't sure how the session tracking was handled. I assume the timeouts, etc, are configured in the tomcat xml config files?
 
Bauke Scholtz
Ranch Hand
Posts: 2458
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
In the web.xml.
 
Bai Shen
Ranch Hand
Posts: 323
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
After some thinking, I realized I have a better question. Can y'all point me to a good servlet design pattern? I think I have my configuration all jumbled up, but I'm not really sure what the best way to configure it all is. If y'all can point me to some good examples, it'd be appreciated.

Thanks.
 
Bear Bibeault
Sheriff
Posts: 67746
173
Mac Mac OS X IntelliJ IDE jQuery TypeScript Java iOS
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Servlet filter.
 
Bai Shen
Ranch Hand
Posts: 323
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Okay, I got the servlet filter mostly working. I'm having some trouble with setting up the filter mapping, though. I want most of the pages to be covered by the filter, but I'm not sure how to exclude the ones I don't need.

For example, I don't need the images dir or the login page to be covered by the login page. In the former, it won't display correctly, and the latter causes an infinite loop. How do I set an exclude in a mapping?
 
Bear Bibeault
Sheriff
Posts: 67746
173
Mac Mac OS X IntelliJ IDE jQuery TypeScript Java iOS
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
You never want to map /* obviously.

Usually, you choose a prefix for the authenticated resources that the URLs will contain. For example /core/*.

As I user a front controller (see FrontMan link below) it's easy for me to control what prefixes all the URLs have, and to ignore prefixes that address resources that don't need authentication.
 
Bai Shen
Ranch Hand
Posts: 323
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I seem to have it mostly working.

Is there a way to reliably set the filter to kick the user back to the login page? Right now I have it setup like so.

/BLAH
/secure
index.html
index.html

BLAH is my context path, so /BLAH/index.html is my login page. Once a user is logged in, they're redirected to /BLAH/secure/index.html. However, whenever they try to hit any page in /BLAH/secure, I want it to kick them back to the login page. Right now, I set the response to redirect to the context path. Is there a better way to do this?
 
Bear Bibeault
Sheriff
Posts: 67746
173
Mac Mac OS X IntelliJ IDE jQuery TypeScript Java iOS
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I'd have it redirect to your login page explicitly.
 
Bai Shen
Ranch Hand
Posts: 323
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Bear Bibeault wrote:I'd have it redirect to your login page explicitly.



How so? What if the context changes, etc?
 
Bear Bibeault
Sheriff
Posts: 67746
173
Mac Mac OS X IntelliJ IDE jQuery TypeScript Java iOS
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
The context should never be hard-coded. Be sure to obtain it dynamically. (See the FAQ entry on resource URLs in the JSP FAQ if need be).
 
Bai Shen
Ranch Hand
Posts: 323
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Bear Bibeault wrote:The context should never be hard-coded. Be sure to obtain it dynamically. (See the FAQ entry on resource URLs in the JSP FAQ if need be).



-nods- I was just wondering about your statement of pointing to the login page explicitly. Right now my login page is index.html and when I point to the context, it defaults to the login page.
 
Bear Bibeault
Sheriff
Posts: 67746
173
Mac Mac OS X IntelliJ IDE jQuery TypeScript Java iOS
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I just personally find that fragile. I like to be more explicit.
 
Bai Shen
Ranch Hand
Posts: 323
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Bear Bibeault wrote:I just personally find that fragile. I like to be more explicit.



So redirect to contextPath+"/index.html"?

Also, any suggestions for notifying users of why their login was rejected? I can redirect them back to the login page, but I haven't figured out a good way to tell them that their password was invalid, or they don't have permissions, etc.
 
Bear Bibeault
Sheriff
Posts: 67746
173
Mac Mac OS X IntelliJ IDE jQuery TypeScript Java iOS
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
These days I'm doing things in a more Ajax-y manner, but using traditional requests I used to set up a session variable that had a pending message. If the page saw that such a message was there, it would display it and remove the message from the session.
 
Bai Shen
Ranch Hand
Posts: 323
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Bear Bibeault wrote:These days I'm doing things in a more Ajax-y manner, but using traditional requests I used to set up a session variable that had a pending message. If the page saw that such a message was there, it would display it and remove the message from the session.



I'm fine with doing it in an "Ajax-y" manner, as that's another thing I'm working on learning. But how does the page read the session variable? I thought those were entirely server side? Are you dynamically generating the logon page?
 
Ranch Hand
Posts: 48
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I too have been wrestling with this kind of problem recently. I need to keep track of when users log in, and which logged-in sessions there are.

There seems to be no simple way to do this in a Java EE servlet environment (like getting a callback for all logins).

I finally managed to solve it by using a combo of a HttpSessionListener and a Filter.
The HttpSessionListener keeps track of all logged-in sessions in a static Map. Note: not all sessions are logged-in, and ONLY logged-in sesions gets call to sessionDestroyed! (Or is that a bug in Glassfish 3.1.2.2?)
The Filter then fills in username.
Quite hairy. I can post code if anyone is interested.

Shouldn't there be a simpler way?
 
Bear Bibeault
Sheriff
Posts: 67746
173
Mac Mac OS X IntelliJ IDE jQuery TypeScript Java iOS
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
If I needed to keep track of who is logged in I'd simply maintain a list in application scope. Add an entry for the user when they log in, and remove it when they log out. Watch for sessions to expire to know if a user times out rather than logs out.
 
Per Lindberg
Ranch Hand
Posts: 48
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Keeping the Map that has the logged-in session ids and usernames in application scope is an interesting alternative to a static member of the HttpSessionListerner, but does not buy much.

The main problem is to detect logins (and logouts/expired sessions). There seems to be no simple way of doing that.

 
Ranch Hand
Posts: 339
7
Tomcat Server Ubuntu Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi Bear,

As I user a front controller (see FrontMan link below) it's easy for me to control what prefixes all the URLs have, and to ignore prefixes that address resources that don't need authentication.



Can you explain specifically how you do this in Frontman?

Thank you.
 
Bear Bibeault
Sheriff
Posts: 67746
173
Mac Mac OS X IntelliJ IDE jQuery TypeScript Java iOS
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Use the command mappings to specify what the URLs to the command should be. Packages play a large role.
 
There's a way to do it better - find it. -Edison. A better tiny ad:
a bit of art, as a gift, that will fit in a stocking
https://gardener-gift.com
reply
    Bookmark Topic Watch Topic
  • New Topic