Granny's Programming Pearls
"inside of every large program is a small program struggling to get out"
JavaRanch.com/granny.jsp
The moose likes JSP and the fly likes Advice on form-authentication Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Android Security Essentials Live Lessons this week in the Android forum!
JavaRanch » Java Forums » Java » JSP
Bookmark "Advice on form-authentication" Watch "Advice on form-authentication" New topic
Author

Advice on form-authentication

Carmen Brianick
Ranch Hand

Joined: Feb 23, 2006
Posts: 67
Hi, I'm reading a web app book that has a chapter on Form-based authentication, in which is what I want: a custom login page. However, they are using tomcats user.xml(misspelled) to put in users id/passwords but in real life situations, I wouldn't be using that. I'm thinking in real life, I would be hitting a database (sql server 2000) and looking up id/passwords.

1. I'd like to see an example of this
2. In my mind, I think I would have my login page submit to a servlet, that servlet authenticates the user against the database, then store inside the session a variable that states that UserIsDefined. Now, on any page inside that follows the login, it would check the UserIsDefined variable if it is true, if it is false, then the user would get error message. Is this the common way of doing authentication without a framework like Struts or Spring?
3. What is the common way of doing authentication, is it using a framework like Struts, or Spring?
4. Can you recommend a good site on this, form-authentication with a database instead of a xml file?

I'm totally new to this so any comments, suggestions, and code are great appreciated ! Thanks !

Thanks so much,
Carmen
[ August 29, 2006: Message edited by: Bear Bibeault ]
Stefan Evans
Bartender

Joined: Jul 06, 2005
Posts: 1016
What you have explained would work, and is something I have seen quite commonly around the place.

Is there anything wrong with the Form-based authentication apart from it using a file (user.xml) as opposed to a database?

Check out the tomcat docs on Realms
You are using the default realm (being the user.xml file), but you don't have to.
You can specify a whole range of sources for the username/password - including database (Datasource Realm, or JBDC Realm)

The form-based authentication gives you control over the access to pages in the web.xml rather than programming it into your application. That is much more flexible than having a basic "is the user logged in" check on every request.

Good luck,
evnafets
Carmen Brianick
Ranch Hand

Joined: Feb 23, 2006
Posts: 67
Hi evnafets, thanks so much for your reply! Thanks for telling me about Realms, is this a Tomcat specific ability or can I use it on any other application server?

I will read up about realms using your link.

Thanks so much,
Carmen
Howard Watson
Ranch Hand

Joined: Jan 07, 2004
Posts: 56
I applogize for slightly off topic reply. I too have used SQL database queries for database web-app authentication. SELECT uName,pwd FROM tblUsers based on form parameters. I then create a session and use a session attribute to control processing JSPs. This works well because it prevents bookmarking.

The reason I wanted to post is a recent experience with SQL injection. A user can modify a query like the one above with carefully selected characters in the userName and password fields. After reading an article on the subject and about an hours research and hacking I was able to hack my apps.

If you decide to go this route be aware of it.
http://en.wikipedia.org/wiki/SQL_injection
Carmen Brianick
Ranch Hand

Joined: Feb 23, 2006
Posts: 67
Hi Howard, no need for apologies, b/c I'm glad you told me about SQL injection, b/c all along I've been using Statement, but now, I'm going to use Prepared statements from now on!

Carmen
Rusty Smythe
Ranch Hand

Joined: Aug 09, 2006
Posts: 93
Even better than prepared statements (IMHO) is Hibernate.
Stefan Evans
Bartender

Joined: Jul 06, 2005
Posts: 1016
Tomcat "Realms" configuration is specific to Tomcat.
However all application servers will have similar ways of specifying such details.

Form-based authentication, and the security/authentication tags in the web.xml - all of that is generic. It is defined in the servlet specification, and should work on all JSP/J2EE servers.

What varies from server to server is where/how you configure the list of usernames/passwords that it looks up. For that you have to consult the server documentation.

So if you do end up "rolling your own" security lookup, it becomes easier to deploy, because you only have to deploy your WAR file without having to do any setup on the server. On the other hand, container managed security is right there, so why re-invent the square wheel?
Bear Bibeault
Author and ninkuma
Marshal

Joined: Jan 10, 2002
Posts: 60785
    
  65

Originally posted by Rusty Smythe:
Even better than prepared statements (IMHO) is Hibernate.


Adopting an ORM framework just to avoid SQL injection is a bit of a leap.


[Asking smart questions] [Bear's FrontMan] [About Bear] [Books by Bear]
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: Advice on form-authentication
 
Similar Threads
Spring security: pass additional parameter when performing login
Form-based authentication implementation
Point to custom session-expired page
How to save the login ID as a session attribute ?
java custom login, strategy