File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
http://aspose.com/file-tools
The moose likes Servlets and the fly likes Authentication/Authorization Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Soft Skills this week in the Jobs Discussion forum!
JavaRanch » Java Forums » Java » Servlets
Bookmark "Authentication/Authorization" Watch "Authentication/Authorization" New topic
Author

Authentication/Authorization

Goran Markovic
Ranch Hand

Joined: Sep 26, 2008
Posts: 399
Does anyone can dissipate my confusion about this issue.
I really do not get (it's about tomcat container):
1- do I really put each user who login, into "tomcat-users.xml"
2- If so, shouldn't I restart container each time I update a new user
3- Or I should propagate user info, to the "validation" servlet (where I will put it into database, or check does certain user exists).
4- And in what occasion should, type-FROM or another one be used?
I just need a reference about "logic motion".
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 42919
    
  68
You really shouldn't use the MemoryRealm (which uses the tomcat-users.xml file) in a production setting. Instead, keep the user information in a database and use JDBCRealm or DataSourceRealm instead. Then you don't need to do anything on the Tomcat side if you add new users. See here for more detail.

I'm not sure what you mean by "type-FROM" and "logic motion"; maybe you can elaborate on that.
Goran Markovic
Ranch Hand

Joined: Sep 26, 2008
Posts: 399
I mean FORM type authentication





(not BASIC or DIGEST), and the logic motion you partly describe. But if we use a database, doesn't we expose the data (username and password for example)?
They are not secure, not encoded,(I have in mind <user-data-constraint> which may not be used) ?
Now I'm going to read what you refer me to...
[ December 06, 2008: Message edited by: Slobodan Erakovic ]
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 42919
    
  68
Why would storing user data in a database expose it? To whom?

And passwords should never be stored in cleartext - they should be hashed (or digested). Both JDBCRealm and DataSourceRealm support this.
[ December 06, 2008: Message edited by: Ulf Dittmer ]
Goran Markovic
Ranch Hand

Joined: Sep 26, 2008
Posts: 399
Well, ok I read it... Well, now I'm really confused... What now when I have a database, using certain realm?
I specify in server.xml what realm I use-ok
I create a database according to realm rules-ok
I made a servlet for data handling-ok

But, how do I use this database to provide mentioned authorization/authentication? Do I need no more web.hml security configuration, in other words do we use it at all?
Or after I use steps above, I done everything? And I didn't found/understand how to digest password in my database?

Hope I'll not smoother you with question and at least references help too ))
Thanks in advance!
[ December 06, 2008: Message edited by: Slobodan Erakovic ]
Goran Markovic
Ranch Hand

Joined: Sep 26, 2008
Posts: 399
hahaha (blush :-) ) Ok I figure out , but one only thing:
Do I further updating, doing through a "database-specified-servlet", and can You present me a way of using MessageDigest class/code?
In other words, I got a user name and pass and the first servlet should be one who handle checkout of database entry, right?

[ December 06, 2008: Message edited by: Slobodan Erakovic ]
[ December 06, 2008: Message edited by: Slobodan Erakovic ]
Goran Markovic
Ranch Hand

Joined: Sep 26, 2008
Posts: 399
Well, I believe I figure out, please, could just anyone confirm my assumption.
When I retrieve user password,I digest it by using this code :





Then "encriptedPass" variable store into related database into appropriate row.
Now when I perform authentication, I first get user password, then retrieve from database - using the username - appropriate digested password (encriptedPass) and make comparison! If it's Ok the user is authenticated.
Is this ok???
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 42919
    
  68
Yes, that's how it works. Well done figuring this out!
[ December 06, 2008: Message edited by: Ulf Dittmer ]
Goran Markovic
Ranch Hand

Joined: Sep 26, 2008
Posts: 399
"and that's the way the cookie crumbles!" :-)
However, I believe that You Ulf, have been much helpful to my solution exploration, and I very appreciate that, hopping that my further questions will be at least this speed resolvable
Goran Markovic
Ranch Hand

Joined: Sep 26, 2008
Posts: 399
Well, I have still one question:

Who handle username and password (In the FORM authentication type), provided by j_username and j_password, if we in our action specify j_security_check?

Do we create j_security_check servlet for handling this?
Bosun Bello
Ranch Hand

Joined: Nov 06, 2000
Posts: 1510
The container will handle it. As long as the specs for FORM-based authentication are followed.

Originally posted by Slobodan Erakovic:
Well, I have still one question:

Who handle username and password (In the FORM authentication type), provided by j_username and j_password, if we in our action specify j_security_check?

Do we create j_security_check servlet for handling this?


Bosun (SCJP, SCWCD)
So much trouble in the world -- Bob Marley
Goran Markovic
Ranch Hand

Joined: Sep 26, 2008
Posts: 399
I have try it for the BASIC authentication, and it's ok. But When I try to use FORM I've been displayed an errorpage.html.
Do I maybe need some configuration tuning when we talk about FORM authentication?
And, if it's all done by container, does it mean that I can not neither perform authentication - based of the code I've previously wrote? I mean, if it'e all done by container how can I extract pass and username from form?
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 42919
    
  68
Yes, the idea is that the container does all the work - you do not need to write any authentication code (and it's actually difficult to hook into that automatic system if it doesn't do precisely what you need). Is the functionality missing that you need?

As to FORM authentication, what error are you getting? Is there anything in the log files?
Goran Markovic
Ranch Hand

Joined: Sep 26, 2008
Posts: 399
I got my erropage I've mapped into <login-form> element.
Funny is that, when I yesterday try an example from the link you sent to me (jsp-example) and where is a FORM performed, it works. However, after I done connecting to ma database on BASIC auth. neither exaple won't work, neither my examples too? I've probably make some changes, but I restore completely setting at previous state. What did I wrong?
And what for I can use the digestion code, if I do not perform any authentication my self? It's little confusing isn't it
Goran Markovic
Ranch Hand

Joined: Sep 26, 2008
Posts: 399
And now, I can use the jsp-example of form login, but applied on my page I receive 404 error. It's obviously something about server.xml file, that I didn't tune...
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 42919
    
  68
For which URL are you getting the 404? When are you getting that - after accessing a protected URL (when it should redirect you to the login page), or after submitting the login form?

As to digests, your code doesn't need to do that - the container handles all that.
Goran Markovic
Ranch Hand

Joined: Sep 26, 2008
Posts: 399
From time to time problems continue to occurs :-)

I use original server.xml file without any changing...
I try example from the link you sent to me (it's application stored into-jsp-example/secure/protected, in the FORM type authentication). It work about MemoryRealm, so I use username and password from tomcat-users.xml, and it works!

I try to use my customize page (everything is the-copied from web.xml of jsp-example, application, except source protection, and it's also FORM type, and MemoryRealm). Now I got some Thread exception thrown by container it self (it's displayed in the window), and the same is happened if I uncomment the JDBCRealm, and use it 9so I don't perform anything else, just uncomment JDBCRealm and tune url and other settings to use databse).It also wont' work, with the same problem.

Now when I perform BASIC authentication, either to use MemoryREalm (using tomcat-users.xml) or JDBCRealm (using particular database) It works!

I hope I've explain you plainly my problem, and I believe that there is some collision inside server.xml file...
Goran Markovic
Ranch Hand

Joined: Sep 26, 2008
Posts: 399
From time to time problems continue to occurs :-)

I use original server.xml file without any changing...
I try example from the link you sent to me (it's application stored into-jsp-example/secure/protected, in the FORM type authentication). It work about MemoryRealm, so I use username and password from tomcat-users.xml, and it works!

I try to use my customize page (everything is the-copied from web.xml of jsp-example, application, except source protection, and it's also FORM type, and MemoryRealm). Now I got some Thread exception thrown by container it self (it's displayed in the window), and the same is happened if I uncomment the JDBCRealm, and use it 9so I don't perform anything else, just uncomment JDBCRealm and tune url and other settings to use databse).It also wont' work, with the same problem.

Now when I perform BASIC authentication, either to use MemoryREalm (using tomcat-users.xml) or JDBCRealm (using particular database) It works!

I hope I've explain you plainly my problem, and I believe that there is some collision inside server.xml file (maybe about scope at what these changes are applied)...
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 42919
    
  68
It's hard to advise without knowing the answers to the question I posted earlier. Also, post the stack trace of the exception. When exactly does that occur - what are you doing at that moment?

I don't think server.xml has much to do with it - the only thing you need to change there is to alter the <Realm> element. If there's a mistake in that then the error message should point to it pretty quickly.
Goran Markovic
Ranch Hand

Joined: Sep 26, 2008
Posts: 399
I'm gonna crazy now :-) I fix what I could and now, I've return back, but I think this is fixable too:
When I try to enter protected area it display me login page now-ok
when I enter username and password it redirect me at mapped errorpage.hmtl
(I use tomcat-users.xml username/password, because I expeiment into MemoryRealm)
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 42919
    
  68
Are there any errors in the Tomcat log files?
Goran Markovic
Ranch Hand

Joined: Sep 26, 2008
Posts: 399
Nope. It's act like I enter incorrect data... It simply redirect me into an error page
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 42919
    
  68
Does the error page contain any hint what's going wrong? Is there maybe a stack trace in the HTML source (even if it's not showing visibly)?
Goran Markovic
Ranch Hand

Joined: Sep 26, 2008
Posts: 399
No,no, it redirect my at my custom error page :



At this custom page it redirect me, juts as I enter incorrect data into login fields. But it does that(redirection) so quickly! And in the address bar stay :http://localhost:8080/second/somei/j_security_check...
Goran Markovic
Ranch Hand

Joined: Sep 26, 2008
Posts: 399
You want to believe! I try in the some another application and it all work correct! But on the one which make me a problems it want! Do you have an idea what may cause the problem...
[ December 07, 2008: Message edited by: Slobodan Erakovic ]
Goran Markovic
Ranch Hand

Joined: Sep 26, 2008
Posts: 399
One thing about container:
I don want to store passwords as a plain text, and when I put digest attribute, it wont work.
To use digested password I need to store them digested, right. I store them using the code I provide here, and it certain plain text transform into some string, which I store as a password in database.
Now I put into server.xml : digest="md5" (because I use md5 for digestion), but custom error page is shown (the pass didn't match one i table). What should I do?
[ December 07, 2008: Message edited by: Slobodan Erakovic ]
Goran Markovic
Ranch Hand

Joined: Sep 26, 2008
Posts: 399
As I found I need digest password using JDBCRealm class, not MessageDigest, but I couldn't find how can I use it. Can anyone provide me a code snippet for password digestion? As I said I tried with MessageDigest digested passwords to retrieve from database, but it wont...
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 42919
    
  68
The Tomcat docs suggest two ways to calculate the digest. Make sure that the algorithm you use with these methods is the same you specify in the Realm configuration.
Goran Markovic
Ranch Hand

Joined: Sep 26, 2008
Posts: 399
Believe me, I'm quite overloaded and little confused about all this use. When I make search in the google of RealmBase class it lead me to too many matches, with similar issue, so I'll very appreciate if it's possible to get here a snippet of code... I try with MessageDigest class and it want to match when I perform authentication... I cannot find RealBase class and command line utility for pass digestion throw me NoClassDefFoundError exception, constantly..
Thanks in advance

[ December 07, 2008: Message edited by: Slobodan Erakovic ]
[ December 07, 2008: Message edited by: Slobodan Erakovic ]
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 42919
    
  68
The class is called RealmBase, not RealBase. The Tomcat classes are located in TOMCAT_HOME/server/lib; it's probably easiest to put all the jar files into your classpath.
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: Authentication/Authorization