• Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

Advice on form-authentication

 
Carmen Brianick
Ranch Hand
Posts: 67
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi, I'm reading a web app book that has a chapter on Form-based authentication, in which is what I want: a custom login page. However, they are using tomcats user.xml(misspelled) to put in users id/passwords but in real life situations, I wouldn't be using that. I'm thinking in real life, I would be hitting a database (sql server 2000) and looking up id/passwords.

1. I'd like to see an example of this
2. In my mind, I think I would have my login page submit to a servlet, that servlet authenticates the user against the database, then store inside the session a variable that states that UserIsDefined. Now, on any page inside that follows the login, it would check the UserIsDefined variable if it is true, if it is false, then the user would get error message. Is this the common way of doing authentication without a framework like Struts or Spring?
3. What is the common way of doing authentication, is it using a framework like Struts, or Spring?
4. Can you recommend a good site on this, form-authentication with a database instead of a xml file?

I'm totally new to this so any comments, suggestions, and code are great appreciated ! Thanks !

Thanks so much,
Carmen
[ August 29, 2006: Message edited by: Bear Bibeault ]
 
Stefan Evans
Bartender
Posts: 1691
10
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
What you have explained would work, and is something I have seen quite commonly around the place.

Is there anything wrong with the Form-based authentication apart from it using a file (user.xml) as opposed to a database?

Check out the tomcat docs on Realms
You are using the default realm (being the user.xml file), but you don't have to.
You can specify a whole range of sources for the username/password - including database (Datasource Realm, or JBDC Realm)

The form-based authentication gives you control over the access to pages in the web.xml rather than programming it into your application. That is much more flexible than having a basic "is the user logged in" check on every request.

Good luck,
evnafets
 
Carmen Brianick
Ranch Hand
Posts: 67
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi evnafets, thanks so much for your reply! Thanks for telling me about Realms, is this a Tomcat specific ability or can I use it on any other application server?

I will read up about realms using your link.

Thanks so much,
Carmen
 
Howard Watson
Ranch Hand
Posts: 60
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I applogize for slightly off topic reply. I too have used SQL database queries for database web-app authentication. SELECT uName,pwd FROM tblUsers based on form parameters. I then create a session and use a session attribute to control processing JSPs. This works well because it prevents bookmarking.

The reason I wanted to post is a recent experience with SQL injection. A user can modify a query like the one above with carefully selected characters in the userName and password fields. After reading an article on the subject and about an hours research and hacking I was able to hack my apps.

If you decide to go this route be aware of it.
http://en.wikipedia.org/wiki/SQL_injection
 
Carmen Brianick
Ranch Hand
Posts: 67
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi Howard, no need for apologies, b/c I'm glad you told me about SQL injection, b/c all along I've been using Statement, but now, I'm going to use Prepared statements from now on!

Carmen
 
Rusty Smythe
Ranch Hand
Posts: 93
Mac Objective C Ruby
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Even better than prepared statements (IMHO) is Hibernate.
 
Stefan Evans
Bartender
Posts: 1691
10
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Tomcat "Realms" configuration is specific to Tomcat.
However all application servers will have similar ways of specifying such details.

Form-based authentication, and the security/authentication tags in the web.xml - all of that is generic. It is defined in the servlet specification, and should work on all JSP/J2EE servers.

What varies from server to server is where/how you configure the list of usernames/passwords that it looks up. For that you have to consult the server documentation.

So if you do end up "rolling your own" security lookup, it becomes easier to deploy, because you only have to deploy your WAR file without having to do any setup on the server. On the other hand, container managed security is right there, so why re-invent the square wheel?
 
Bear Bibeault
Author and ninkuma
Marshal
Pie
Posts: 64715
86
IntelliJ IDE Java jQuery Mac Mac OS X
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Originally posted by Rusty Smythe:
Even better than prepared statements (IMHO) is Hibernate.


Adopting an ORM framework just to avoid SQL injection is a bit of a leap.
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic