wood burning stoves 2.0*
The moose likes Security and the fly likes How to secure my page Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Engineering » Security
Bookmark "How to secure my page " Watch "How to secure my page " New topic
Author

How to secure my page

Monoj Roy
Ranch Hand

Joined: Oct 10, 2007
Posts: 98
I have a login.jsp if we provide correct userid/passwor it through the user
to say some homepage.jsp


httt://localhost:9080/Test_Application/login.jsp will through to say the page
httt://localhost:9080/Test_Application/homepage.jsp?usid="admin"&pwd="123"
No problem till now


Now if I directly try to open the
httt://localhost:9080/Test_Application/homepage.jsp?usid="admin"&pwd="123"
it opens perfectly

What I want as homepage is comming through a validation of userid/password
So directly no one should come to homepage.jsp

they should redirect to login.jsp and aske for userId/password
How can I do it ? I am using Websphere application server
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 41601
    
  55
Several points to note:

- Don't put security logic into a JSP, put it into a servlet.

- Never use (or even allow) GET for passwords; use POST instead.

- The standard way to implement authentication is to use servlet security, as defined by the servlet spec.
[ August 04, 2008: Message edited by: Ulf Dittmer ]

Ping & DNS - my free Android networking tools app
Monoj Roy
Ranch Hand

Joined: Oct 10, 2007
Posts: 98
I have read the suggested article
Here below is my web.xml



and loginForm.html is as follows



Following is my first page



when I am clicking on the following link
<p>Request a secure page <a href="secure/securepage.html">here!</a></p>

It is pointing me to the secure page not even asking for log in .Can anybody help me where I am wrong ? I am using Websphere Application Server
WSAD 5.1.2
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 41601
    
  55
<url-pattern>s that are not extensions (like *.jsp) must start with a slash; in other words, they must be absolute, not relative.
Monoj Roy
Ranch Hand

Joined: Oct 10, 2007
Posts: 98
I have tried with the following but none of one is working

try1: <url-pattern>/secure</url-pattern>

try2 :<url-pattern>/secure/*</url-pattern>

try3:<url-pattern>/secure/*.html</url-pattern>


Most importantly I am not getting the idea of action="j_security_check"
is this a inbuild one action ? Is this action is forced to look into the web.xml for a <security-constraint> and if so then how it maps to the loginForm in the <login-config> there must be a mapping between action and <security-constraint> and <login-config> .I can have several jsps /htmls and there forms but which one to map ?

As I am new to this security world and learning it so please help.
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 41601
    
  55
Both the first and the second form you used will work when the web.xml file is set up correctly; the third will not work no matter what (you can only either use path mapping or extension mapping).

You can only have a single login form that is used for all URLs you have set up to be protected. The j_security_check action is built into the servlet container, and it will make sure that the login credentials you entered are in valid. If they are, it will redirect the user to the URL originally requested.

What does "none is working" mean? What URL are you accessing, and what is happening? How have you set up security? Post the relevant excerpt from web.xml.
Monoj Roy
Ranch Hand

Joined: Oct 10, 2007
Posts: 98
Thanks for the reply .
here all the details are listed


In my WebContent folder there is a folder named secure and inside it I have
put one html named securepage.html

I also have created three htmls which are in the root (in same directory as WebContent).They are index.html,LoginError.html,and LoginForm.html

Now in index.html I have a link to secure/securepage.html as follows
<p>Request a secure page <a href="secure/securepage.html">here!</a></p>
So it should go to securepage.html when I click on the link(The word here) .

What I am expecting now as I am requesting a page from folder secure which is secure as setup in the web.xml as follows it should open the loginForm.

<security-constraint>
<web-resource-collection>
<web-resource-name>SecurePages</web-resource-name>
<description>Security constraint for resources in the secure directory</description>
<url-pattern>/secure/*</url-pattern>
<http-method>POST</http-method>
<http-method>GET</http-method>
</web-resource-collection>

<auth-constraint>
<description>only let the system user login </description>
<role-name>admin</role-name>
</auth-constraint>

<user-data-constraint>
<description>SSL not required</description>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>



My loginForm is not opening instead it opens the securepage.html what I don't want .
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 41601
    
  55
Do you have a <login-config> element in your web.xml?

You might want to read through this introductory article; it explains all these concepts.
Monoj Roy
Ranch Hand

Joined: Oct 10, 2007
Posts: 98
More specifically the problem is

http://localhost:9080/logintest/index.html
is redirected to the following
http://localhost:9080/logintest/secure/securepage.html

it is not opening the loginForm.html in between .and not
validating the login credentials
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 41601
    
  55
So what's the answer to my question?
Monoj Roy
Ranch Hand

Joined: Oct 10, 2007
Posts: 98
Yes I am using that .even I have created the sample application from the
site you have refered to .Here below is the total web.xml

Antonio Fornie
Ranch Hand

Joined: Aug 07, 2008
Posts: 117
Hello.

I'd like to know how to use security with users in a DB. I mean, all four specs (basic, digest, form and client-cert) for security are always described to be used with the users in tomcat-users.xml (or a similar file). But I want to set the configuration so that it can take the users from a database.

What I don't want either is to control the access with my own code. I want tomcat to control the access, but I want my code to authenticate users and tell Tomcat "Yes, let her/him in" or "No. Show login page".

Thank you very much.

Antonio


I feel there must be far better ways to do what I do... that makes learning even funnier
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 41601
    
  55
The details for Tomcat are described in http://tomcat.apache.org/tomcat-5.5-doc/realm-howto.html
You can either use a JDBCRealm or a DataSourceRealm.

What I don't want either is to control the access with my own code. I want tomcat to control the access, but I want my code to authenticate users and tell Tomcat "Yes, let her/him in" or "No. Show login page".

The way realms work is that they look up user/password info somewhere (in a DB for the realms I mentioned), and that you don't have to code anything. I don't understand where (and why) you want to hook code of your into this process.

It's certainly possible if you want to - you can write a class that extends one of the Realm classes, and have that do anything you want it to do. But it's not generally necessary, and if for some reason it is, you may be better off not using the Realm functionality at all and implement security completely in your code. It's not that much work.

Forgive my horrible English, I'm Spanish.

I don't think it's horrible at all. (Of course, not being a native English speaker myself, who am I to judge that?)
[ August 29, 2008: Message edited by: Ulf Dittmer ]
Antonio Fornie
Ranch Hand

Joined: Aug 07, 2008
Posts: 117
Thank you very much. Well, I don't need the code to be mine, in fact I'd rather not to code as long as I can use my user's table without changing anything.

I was looking for something similar to that you can do with Spring (JdbcDaoImpl): you use your own tables, and you only have to say how to access (with a query) them in order to adapt to what Spring needs. But I wanted to be able to use basic, digest...

Anyway, I've been reading your link and that's exactly what I need. I wasn't sure it existed. Thank you very much

Antonio
Antonio Fornie
Ranch Hand

Joined: Aug 07, 2008
Posts: 117
Please. I've got another question.

I've used a "org.apache.catalina.realm.JDBCRealm" and it's working perfectly. I only had to configure my table and column names and the rest is almost done.

But the problem is, Tomcat is accesing my database, retrieving the user and keeping in session some kind of information related with the user. But the rest of the application will need the user too (I have to show in the menus only the sales of the user).

I don't want that first Tomcat access the databse and later, in the same request my code access the databse again to retrieve the same data. Is there a way I can access DB only once? Is there a way to access the info Tomcat stores in session?

That's absolutely necessary. Otherwise I'd have to ask the user to login once again as I know the user is logged but I don't know wich user is it.

Thank you very much.

Antonio
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 41601
    
  55
That's what the HttpServletRequest.getRemoteUser method tells you. The HttpServletRequest.isUserInRole method may also be of interest.
Antonio Fornie
Ranch Hand

Joined: Aug 07, 2008
Posts: 117
Thank you very much. That's all I needed.
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: How to secure my page