This week's book giveaway is in the OO, Patterns, UML and Refactoring forum. We're giving away four copies of Refactoring for Software Design Smells: Managing Technical Debt and have Girish Suryanarayana, Ganesh Samarthyam & Tushar Sharma on-line! See this thread for details.
Hi, I'm reading a web app book that has a chapter on Form-based authentication, in which is what I want: a custom login page. However, they are using tomcats user.xml(misspelled) to put in users id/passwords but in real life situations, I wouldn't be using that. I'm thinking in real life, I would be hitting a database (sql server 2000) and looking up id/passwords.
1. I'd like to see an example of this 2. In my mind, I think I would have my login page submit to a servlet, that servlet authenticates the user against the database, then store inside the session a variable that states that UserIsDefined. Now, on any page inside that follows the login, it would check the UserIsDefined variable if it is true, if it is false, then the user would get error message. Is this the common way of doing authentication without a framework like Struts or Spring? 3. What is the common way of doing authentication, is it using a framework like Struts, or Spring? 4. Can you recommend a good site on this, form-authentication with a database instead of a xml file?
I'm totally new to this so any comments, suggestions, and code are great appreciated ! Thanks !
Thanks so much, Carmen [ August 29, 2006: Message edited by: Bear Bibeault ]
What you have explained would work, and is something I have seen quite commonly around the place.
Is there anything wrong with the Form-based authentication apart from it using a file (user.xml) as opposed to a database?
Check out the tomcat docs on Realms You are using the default realm (being the user.xml file), but you don't have to. You can specify a whole range of sources for the username/password - including database (Datasource Realm, or JBDC Realm)
The form-based authentication gives you control over the access to pages in the web.xml rather than programming it into your application. That is much more flexible than having a basic "is the user logged in" check on every request.
Good luck, evnafets
Joined: Feb 23, 2006
Hi evnafets, thanks so much for your reply! Thanks for telling me about Realms, is this a Tomcat specific ability or can I use it on any other application server?
I applogize for slightly off topic reply. I too have used SQL database queries for database web-app authentication. SELECT uName,pwd FROM tblUsers based on form parameters. I then create a session and use a session attribute to control processing JSPs. This works well because it prevents bookmarking.
The reason I wanted to post is a recent experience with SQL injection. A user can modify a query like the one above with carefully selected characters in the userName and password fields. After reading an article on the subject and about an hours research and hacking I was able to hack my apps.
Even better than prepared statements (IMHO) is Hibernate.
Joined: Jul 06, 2005
Tomcat "Realms" configuration is specific to Tomcat. However all application servers will have similar ways of specifying such details.
Form-based authentication, and the security/authentication tags in the web.xml - all of that is generic. It is defined in the servlet specification, and should work on all JSP/J2EE servers.
What varies from server to server is where/how you configure the list of usernames/passwords that it looks up. For that you have to consult the server documentation.
So if you do end up "rolling your own" security lookup, it becomes easier to deploy, because you only have to deploy your WAR file without having to do any setup on the server. On the other hand, container managed security is right there, so why re-invent the square wheel?