aspose file tools*
The moose likes Web Component Certification (SCWCD/OCPJWCD) and the fly likes Question on web-app security Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Certification » Web Component Certification (SCWCD/OCPJWCD)
Bookmark "Question on web-app security" Watch "Question on web-app security" New topic
Author

Question on web-app security

Sub swamy
Ranch Hand

Joined: Oct 02, 2002
Posts: 121
Was trying out an example based on (my understanding of) HFSJ



The roles (tomcat and role1) have been defined in tomcat-users.xml file.

I would like to know WHY/HOW does the code work (if condition passes) in the latter case while it doesnt in the former case. Thought, HFSJ says the former should work.

Would appreciate if someone could help on this.

Env: Tomcat 5.0.30/J2SE 1.4.2
Priya Jothi
Ranch Hand

Joined: Jul 13, 2004
Posts: 168
Hi,

tomcat & role1 are the actual roles defined in tomcat-users.xml..where as Admin & Manager are just the logical names given by you for these role names.Tomcat will make a mapping when u give a logical name for any role..but it'll consider only the actual or real names configured in tomcat-users.xml.

hth..

Regards,
Priya.
Sub swamy
Ranch Hand

Joined: Oct 02, 2002
Posts: 121
Agree with what you have said.

My question is, if there is a mapping (through)


then why doesn't the logical name (Admin) be recognized in the Servlet ?

Unless i explicitly, specify the roles in tomcat ("tomcat", "role1"), the if condition fails. But if i can specify it explicitly, there is no case of mapping between logical and actual roles.

My question is regarding the "mapping" - that doesnt seem to be taking place. If Container would recognize only the roles mentioned in tomcat-users.xml would

work at all ? It works as per HFSJ. For me it doesnt seem to be. Not sure what i am missing here.

Hope i am making it clear.
Narendra Dhande
Ranch Hand

Joined: Dec 04, 2004
Posts: 950
Hi,

I think there is mistake in DD entries. The <security-role-ref> sub-entry must go under <servlet> .... </servlet> entries. The role references are not for whole application , these are for particular servlet defination.

Thanks


Narendra Dhande
SCJP 1.4,SCWCD 1.4, SCBCD 5.0, SCDJWS 5.0, SCEA 5.0
Priya Jothi
Ranch Hand

Joined: Jul 13, 2004
Posts: 168
Hi..

Im basically not getting the whole picture of ur ques..but let me explain to you what i understood..This <security-role-ref> stuff is similar to the <servlet>.Both elements are used for mapping an actual element to some logical name we prefer.Would like to mention the <servlet-name> present under <servlet> is just a logical name & can only be used in web.xml & nowhere outside.

To be more clear lets split ppl involved in web development into 2 categories..

1 . Developer group : will develop servlets,modify tomcat-users.xml & web.xml

2. Deployer group : Assume they are allowed to modify only web.xml..may be tomcat-users.xml if needed.but they dont have rights to modify code for servlets.

Now considering the above scenario how will the developer know(while developing servlets) what roles the deployer will map to the actual roles available?.Situations may go worse if both group belong to 2 different companies!!.Therefore only actual roles will be considered in the servlet code which is executed by the container.There is nothing to do with the mapping provided by the deployer to the servlet code which is already developed.If we think it logically it'll make sense.

Administrator in one company may be called as Manager in another company.It varies with company rules.Here developer should take care about identifying roles(generic) in the company..where as deployer is allow to map these roles(actual) with their own roles(logical)(in web.xml) according to their business rules.Hope it helps..

Revert for further clarifications!!.

Regards,
Priya.
Narendra Dhande
Ranch Hand

Joined: Dec 04, 2004
Posts: 950
Hi Priya,

Let me some more clarifications what I understand.

Suppose we have one servlet MyServlet which is constarints using security mechnism. The web.xml is similar to

<servlet>
<servlet-name>MyServlet</servlet-name>
<Servlet-class>mypackage.MyServlet</servlet-class>
</servlet>

<servlet-mapping>
<servlet-name>MyServlet</servlet-name>
<url-pattern>/test/*</url-pattern>
</servlet-mapping>

<login-config>
<auth-method>BASIC</auth-method>
</login-config>

<security-role>
<role-name>tomcat</role-name>
<role-name>role1</role-name>
</security-role>


<security-constraint>
<web-resource-collection>
<web-resource-name>testSecurity</web-resource-name>
<url-pattern>/test/*</url-pattern>
<http-method>GET</http-method>
</web-resource-collection>

<auth-constraint>
<role-name>tomcat</role-name>
<role-name>role1</role-name>
</auth-constraint>
</security-constraint>

Now, we relize that the MyServlet is using some programatic security in the codes and using different roles other than tomcat and role1. i.e. Admin role is equivalent to tomcat and Manager is equivalent to role1. But our tomcat-users.xml defined only tomcat and role1. so you have to map the roles in the <servlet>.

<servlet>
<servlet-name>MyServlet</servlet-name>
<Servlet-class>mypackage.MyServlet</servlet-class>
<security-role-ref>
<role-name>Admin</role-name>
<role-link>tomcat</role-link>
</security-role-ref>

<security-role-ref>
<role-name>Manager</role-name>
<role-link>role1</role-link>
</security-role-ref>

</servlet>

<servlet-mapping>
<servlet-name>MyServlet</servlet-name>
<url-pattern>/test/*</url-pattern>


</servlet-mapping>

<login-config>
<auth-method>BASIC</auth-method>
</login-config>

<security-role>
<role-name>tomcat</role-name>
<role-name>role1</role-name>
</security-role>


<security-constraint>
<web-resource-collection>
<web-resource-name>testSecurity</web-resource-name>
<url-pattern>/test/*</url-pattern>
<http-method>GET</http-method>
</web-resource-collection>

<auth-constraint>
<role-name>tomcat</role-name>
<role-name>role1</role-name>
</auth-constraint>
</security-constraint>

When the user fired the url, the user is authenticated. depending on the username/password, it will belog to either tomcat or role1 group defined in the tomcat-users.xml.

But in the MyServlet the tomcat group will refered as either tomcat or Admin in isUserInRole method call and role1 group will refered as either role1 or Manager in isUserInRole method call.

There may be possibility that Admin and Manager groups are defined in the tomcat-users.xml, but for the MySrvlet tomcat is Admin and role1 is Manager.

Hope it help you.

Thanks
Priya Jothi
Ranch Hand

Joined: Jul 13, 2004
Posts: 168
Hi Narendar,

Gr8 yaar..it is working!!.Glad that i've learnt a new thing.So far haven't tried this kinda sample.

Hi Subramanian,

Hope Narendar's prev post would have answered most of ur queries!!.

Regards,
Priya.
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: Question on web-app security
 
Similar Threads
form-based authentication
security-role tag confusion : need clarification
security constraint - not working
Problem While Enabling Authentication
security-role-ref and isUserInRole( )