wood burning stoves 2.0*
The moose likes Servlets and the fly likes Using realm password for db authentication Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


JavaRanch » Java Forums » Java » Servlets
Bookmark "Using realm password for db authentication" Watch "Using realm password for db authentication" New topic
Author

Using realm password for db authentication

Julien Martin
Ranch Hand

Joined: Apr 24, 2004
Posts: 384
Hello all,

I would like to user a password provided by the basic (UserDatabaseRealm) authentication and use it further on for database/jdbc authentication.

Is that possible? I was not able to find any getUserPassword in the servlet API...

Any suggestion?

Thanks in advance,

Julien.
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 42047
    
  64
UserDatabaseRealm looks up users in a file, not a database; use JDBCRealm or DataSourceRealm instead.

There is no need to retrieve the password in the web app, because the container handles all that (so it's actually a security precaution to not spread the password any further than necessary). The methods a web app would use to find out about an authenticated user are in HttpServletRequest: isUserInRole, getRemoteUser and getUserPrincipal.


Ping & DNS - my free Android networking tools app
Julien Martin
Ranch Hand

Joined: Apr 24, 2004
Posts: 384
Hi Ulf,

My fault: I was not clear in my previous post.

I actually mean to use the retrieved user credentials for further authentication against a dabatabase (here using hibernate).

1. The user logs in using the web container mechanism.
2. I use his password for hibernate authentication.

Do you see what I mean?

Julien.
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 42047
    
  64
So you're using the same username/password combinations both for the web server and the database server? I would recommend against that. Web passwords can get snooped, or be written down and read by unauthorized persons, and thus compromised. In that case, you don't want your database to be compromised, too.

What's more, Hibernate expects a single database username/password when creating a SessionFactory. So unless you are using a separate SessionFactory for each user (which would be rather unusual), this isn't really going to work.
Julien Martin
Ranch Hand

Joined: Apr 24, 2004
Posts: 384
So you're using the same username/password combinations both for the web server and the database server?

I am indeed. It is part of my company's SSO policy.

Do you think I have to perform a second authentication against our ldap directory?

What architecture do you suggest?

Julien.
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 42047
    
  64
Originally posted by Julien Martin:
Do you think I have to perform a second authentication against our ldap directory?


No. But generally, a single (or maybe very few) database account(s) can be used for all user activities. Once the user is authenticated in the web tier, it shouldn't be necessary to carry on the credentials further into the database tier. That makes it actually less secure, because a compromised web login means a compromised database login, which is often a more serious problem.

Note that I said "generally", because there may be circumstances where you need to have a database account for each user. Is that the case here? It would be kind of a pain to keep those in synch, though.

As far as Hibernate is concerned, you will need a separate SessionFactory for each database account.
Julien Martin
Ranch Hand

Joined: Apr 24, 2004
Posts: 384
Thanks a lot for your detailed reply!
All the best,
Julien.
 
GeeCON Prague 2014
 
subject: Using realm password for db authentication