File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
http://aspose.com/file-tools
The moose likes Servlets and the fly likes Tracking users and user security Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of EJB 3 in Action this week in the EJB and other Java EE Technologies forum!
JavaRanch » Java Forums » Java » Servlets
Bookmark "Tracking users and user security" Watch "Tracking users and user security" New topic
Author

Tracking users and user security

Bai Shen
Ranch Hand

Joined: Sep 24, 2008
Posts: 323
Not sure how to write a good title for this.

I'm writing a registration app. So far I have where the users can register themselves. It works great and stores the data in a db using Hibernate.

Now what I'd like to do is have users be able to log in and update their data. However, I'm not really sure how to configure this to be secure and make sure that people don't start editing other users data.

Am I going to have to set a cookie? Is this the best way to handle it?
Sunil Vasudevan
Ranch Hand

Joined: Mar 05, 2007
Posts: 107
Since you have a login module, doesn't it require a password?

If yes, that should act as a security layer. Am I missing something?


Sunil.V<br />SCJP2, SCWCD1.4, SCBCD1.3
Bauke Scholtz
Ranch Hand

Joined: Oct 08, 2006
Posts: 2458
Make use of container managed security (lookup JAAS and/or Realm in the documentation provided along the appserver) and/or a simple Filter which checks the presence of the logged in User and handle the request/response accordingly.
Sunil Vasudevan
Ranch Hand

Joined: Mar 05, 2007
Posts: 107
My bad.. You mentioned you need to create a login module.

During user registration, have the user provide a password too.
Bai Shen
Ranch Hand

Joined: Sep 24, 2008
Posts: 323
I already have a password setup in the registration section.

I'm just trying to figure out how to track the user through the rest of the app once they're registered.

Not sure how to set up the container managed security. I'm using Tomcat as my app server if that helps.
Bear Bibeault
Author and ninkuma
Marshal

Joined: Jan 10, 2002
Posts: 60049
    
  65

A typical scenario is that the business layer needs to know which user is "logged in" and makes sure that the user has the ability to perform the operation.

Thus each business layer operation gets passed the current user and does a check for permissions or scope or whatever determines whether the request is valid prior to actually doing something.

In the system I an currently working on, we do both. We have a permissions structure that defines what a user is allowed to do, and scoping to determine what the user is allowed to do those operations to.

This is not generally something tacked on in the UI layers. Your business layer needs to be set up to handle this.


[Asking smart questions] [Bear's FrontMan] [About Bear] [Books by Bear]
Bai Shen
Ranch Hand

Joined: Sep 24, 2008
Posts: 323
Bear Bibeault wrote:A typical scenario is that the business layer needs to know which user is "logged in" and makes sure that the user has the ability to perform the operation.

Thus each business layer operation gets passed the current user and does a check for permissions or scope or whatever determines whether the request is valid prior to actually doing something.

In the system I an currently working on, we do both. We have a permissions structure that defines what a user is allowed to do, and scoping to determine what the user is allowed to do those operations to.

This is not generally something tacked on in the UI layers. Your business layer needs to be set up to handle this.


Um, I never mentioned anything about the UI layers. I'm just trying to figure out how to determine who's logging in so that I can use my business logic to determine their permissions. Most of my coding has been desktop apps, so I'm not sure how to make this work using a web servlet.
Bear Bibeault
Author and ninkuma
Marshal

Joined: Jan 10, 2002
Posts: 60049
    
  65

Well, I assume that your users are logging in and interacting with the system via the UI.

What are you using for authentication? I never seem to find the container-managed stuff versatile enough for my needs, so I always set up my own. Basically, when a user logins in, a token is place in the session. This token, which is used to identify not only that a user is logged in, but which one, is passed to each business layer operation, whose job it is to validate the permissibility of the operation before carrying it out.
Bai Shen
Ranch Hand

Joined: Sep 24, 2008
Posts: 323
Bear Bibeault wrote:Well, I assume that your users are logging in and interacting with the system via the UI.

What are you using for authentication? I never seem to find the container-managed stuff versatile enough for my needs, so I always set up my own. Basically, when a user logins in, a token is place in the session. This token, which is used to identify not only that a user is logged in, but which one, is passed to each business layer operation, whose job it is to validate the permissibility of the operation before carrying it out.


Right now, I'm not using anything for authentication. That's my problem.

I have a registration page that saves the users data to a database.

What I want to do is then authenticate them based on the username/password in the database. That's why I'm trying to figure out how to track them across the system. My original plan was to write a login servlet, but then I didn't have a method to keep track of which user I was dealing with in any of the other servlets.
Bauke Scholtz
Ranch Hand

Joined: Oct 08, 2006
Posts: 2458
Either make use of JAAS/Realm to let the container handle it completely, or take it in your hands by just placing the from the DB obtained User object in HttpSession yourself. The rest of your application can just intercept on that, if need be by a simple Filter.
Bear Bibeault
Author and ninkuma
Marshal

Joined: Jan 10, 2002
Posts: 60049
    
  65

Ah! Yes.

For authentication itself, we store the users and passwords in the database (encrypted passwords). When a user logs in, he is authenticated and if successful the user information is stored in a session-scoped variable.

For each authenticated page, a servlet filter checks if the session info is there. If not, it forces authentication. Redirecting to a login page is easiest (I'm doing something a little more sophisticated with Ajax, but that's another show).

Upon logging out (or session timeout), the session info is eradicated.

This means that for each operation that requires a user, the user info can be obtained from the session and passed to the business layer.
Bai Shen
Ranch Hand

Joined: Sep 24, 2008
Posts: 323
Okay, not to be too obtuse, but how do I store the user data in a session variable?
Bauke Scholtz
Ranch Hand

Joined: Oct 08, 2006
Posts: 2458
HttpSession#setAttribute().

Learn to find, read and understand the API, luke: javax.servlet.http.HttpSession.
Bai Shen
Ranch Hand

Joined: Sep 24, 2008
Posts: 323
Bauke Scholtz wrote:HttpSession#setAttribute().

Learn to find, read and understand the API, luke: javax.servlet.http.HttpSession.


I know how to read and understand the API. I just wasn't sure what I was looking for. I'm still getting used to the way servlets work.
Bai Shen
Ranch Hand

Joined: Sep 24, 2008
Posts: 323
BTW, how secure are session variables? Are they something that can be read/changed in the browser? Or can I just set a variable to the user's name(which is unique) and then be assured that it wasn't tampered with?
Bauke Scholtz
Ranch Hand

Joined: Oct 08, 2006
Posts: 2458
It is stored entirely on the server side. All what the client have with regard to the session is a simple cookie referenceing the session ID or the jsessionid addendum in the URL. So it's secure enough. You have full control over what you get/set in the session. After all it depends on the robustness of the code you write yourself.
Bai Shen
Ranch Hand

Joined: Sep 24, 2008
Posts: 323
Bauke Scholtz wrote:It is stored entirely on the server side. All what the client have with regard to the session is a simple cookie referenceing the session ID or the jsessionid addendum in the URL. So it's secure enough. You have full control over what you get/set in the session. After all it depends on the robustness of the code you write yourself.


Ah, okay. I wasn't sure how the session tracking was handled. I assume the timeouts, etc, are configured in the tomcat xml config files?
Bauke Scholtz
Ranch Hand

Joined: Oct 08, 2006
Posts: 2458
In the web.xml.
Bai Shen
Ranch Hand

Joined: Sep 24, 2008
Posts: 323
After some thinking, I realized I have a better question. Can y'all point me to a good servlet design pattern? I think I have my configuration all jumbled up, but I'm not really sure what the best way to configure it all is. If y'all can point me to some good examples, it'd be appreciated.

Thanks.
Bear Bibeault
Author and ninkuma
Marshal

Joined: Jan 10, 2002
Posts: 60049
    
  65

Servlet filter.
Bai Shen
Ranch Hand

Joined: Sep 24, 2008
Posts: 323
Okay, I got the servlet filter mostly working. I'm having some trouble with setting up the filter mapping, though. I want most of the pages to be covered by the filter, but I'm not sure how to exclude the ones I don't need.

For example, I don't need the images dir or the login page to be covered by the login page. In the former, it won't display correctly, and the latter causes an infinite loop. How do I set an exclude in a mapping?
Bear Bibeault
Author and ninkuma
Marshal

Joined: Jan 10, 2002
Posts: 60049
    
  65

You never want to map /* obviously.

Usually, you choose a prefix for the authenticated resources that the URLs will contain. For example /core/*.

As I user a front controller (see FrontMan link below) it's easy for me to control what prefixes all the URLs have, and to ignore prefixes that address resources that don't need authentication.
Bai Shen
Ranch Hand

Joined: Sep 24, 2008
Posts: 323
I seem to have it mostly working.

Is there a way to reliably set the filter to kick the user back to the login page? Right now I have it setup like so.

/BLAH
/secure
index.html
index.html

BLAH is my context path, so /BLAH/index.html is my login page. Once a user is logged in, they're redirected to /BLAH/secure/index.html. However, whenever they try to hit any page in /BLAH/secure, I want it to kick them back to the login page. Right now, I set the response to redirect to the context path. Is there a better way to do this?
Bear Bibeault
Author and ninkuma
Marshal

Joined: Jan 10, 2002
Posts: 60049
    
  65

I'd have it redirect to your login page explicitly.
Bai Shen
Ranch Hand

Joined: Sep 24, 2008
Posts: 323
Bear Bibeault wrote:I'd have it redirect to your login page explicitly.


How so? What if the context changes, etc?
Bear Bibeault
Author and ninkuma
Marshal

Joined: Jan 10, 2002
Posts: 60049
    
  65

The context should never be hard-coded. Be sure to obtain it dynamically. (See the FAQ entry on resource URLs in the JSP FAQ if need be).
Bai Shen
Ranch Hand

Joined: Sep 24, 2008
Posts: 323
Bear Bibeault wrote:The context should never be hard-coded. Be sure to obtain it dynamically. (See the FAQ entry on resource URLs in the JSP FAQ if need be).


-nods- I was just wondering about your statement of pointing to the login page explicitly. Right now my login page is index.html and when I point to the context, it defaults to the login page.
Bear Bibeault
Author and ninkuma
Marshal

Joined: Jan 10, 2002
Posts: 60049
    
  65

I just personally find that fragile. I like to be more explicit.
Bai Shen
Ranch Hand

Joined: Sep 24, 2008
Posts: 323
Bear Bibeault wrote:I just personally find that fragile. I like to be more explicit.


So redirect to contextPath+"/index.html"?

Also, any suggestions for notifying users of why their login was rejected? I can redirect them back to the login page, but I haven't figured out a good way to tell them that their password was invalid, or they don't have permissions, etc.
Bear Bibeault
Author and ninkuma
Marshal

Joined: Jan 10, 2002
Posts: 60049
    
  65

These days I'm doing things in a more Ajax-y manner, but using traditional requests I used to set up a session variable that had a pending message. If the page saw that such a message was there, it would display it and remove the message from the session.
Bai Shen
Ranch Hand

Joined: Sep 24, 2008
Posts: 323
Bear Bibeault wrote:These days I'm doing things in a more Ajax-y manner, but using traditional requests I used to set up a session variable that had a pending message. If the page saw that such a message was there, it would display it and remove the message from the session.


I'm fine with doing it in an "Ajax-y" manner, as that's another thing I'm working on learning. But how does the page read the session variable? I thought those were entirely server side? Are you dynamically generating the logon page?
Per Lindberg
Ranch Hand

Joined: Jan 17, 2008
Posts: 48
I too have been wrestling with this kind of problem recently. I need to keep track of when users log in, and which logged-in sessions there are.

There seems to be no simple way to do this in a Java EE servlet environment (like getting a callback for all logins).

I finally managed to solve it by using a combo of a HttpSessionListener and a Filter.
The HttpSessionListener keeps track of all logged-in sessions in a static Map. Note: not all sessions are logged-in, and ONLY logged-in sesions gets call to sessionDestroyed! (Or is that a bug in Glassfish 3.1.2.2?)
The Filter then fills in username.
Quite hairy. I can post code if anyone is interested.

Shouldn't there be a simpler way?
Bear Bibeault
Author and ninkuma
Marshal

Joined: Jan 10, 2002
Posts: 60049
    
  65

If I needed to keep track of who is logged in I'd simply maintain a list in application scope. Add an entry for the user when they log in, and remove it when they log out. Watch for sessions to expire to know if a user times out rather than logs out.
Per Lindberg
Ranch Hand

Joined: Jan 17, 2008
Posts: 48
Keeping the Map that has the logged-in session ids and usernames in application scope is an interesting alternative to a static member of the HttpSessionListerner, but does not buy much.

The main problem is to detect logins (and logouts/expired sessions). There seems to be no simple way of doing that.

margaret gillon
Ranch Hand

Joined: Nov 12, 2008
Posts: 277
    
    2

Hi Bear,

As I user a front controller (see FrontMan link below) it's easy for me to control what prefixes all the URLs have, and to ignore prefixes that address resources that don't need authentication.


Can you explain specifically how you do this in Frontman?

Thank you.
Bear Bibeault
Author and ninkuma
Marshal

Joined: Jan 10, 2002
Posts: 60049
    
  65

Use the command mappings to specify what the URLs to the command should be. Packages play a large role.
 
 
subject: Tracking users and user security
 
Similar Threads
Regarding Encapsulation
How to prevent users from entering HTML/JavaScript?
adding users to LDAP with Java
how to access jsp under WEB-INF folder
encode/decode