File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
http://aspose.com/file-tools
The moose likes JBoss/WildFly and the fly likes Tips on form-based authetication Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of EJB 3 in Action this week in the EJB and other Java EE Technologies forum!
JavaRanch » Java Forums » Products » JBoss/WildFly
Bookmark "Tips on form-based authetication" Watch "Tips on form-based authetication" New topic
Author

Tips on form-based authetication

Viv Singh
Ranch Hand

Joined: Nov 08, 2008
Posts: 73
Hi,

I have the following scenario (requirement in the specification).

I have implemented a web interface to create a new user in the system. Now each user can have different roles which can be selected by HTML checkboxes.
The fact is that each role (checkbox) specifies which jsp pages in the system can be accessed.
E.g. if the checkbox with the role "0" is selected the user can "view" the tools.jsp and tools2.jsp pages.
if the checkbox with the role "1" is selected then the user can "view" users.jsp.
If both checkboxes "0" and "1" are selected then the authenticated user can view tools.jsp, tools2.jsp and users.jsp.

In my database I have a users table which is used to retrieve the role. I only have 1 column in the database for the role.
What is the best way to implement this scenario?
Shall I assign different role names for each possible value e.g. checkbox1 selected and checkbox2 unselected = 0, checkbox1 unselected and checkbox2 selected = 1, checkbox1 unselected and checkbox2 unselected = 2, etc.?

Thanks for any advice and help.
Vivek Murugesan
Greenhorn

Joined: Apr 09, 2009
Posts: 9

From your scenario, You can have two roles and in the JSP's you can validate.
You can also create 3 different roles, but later incase if you modify the roles of the user, you'll have to update the tables.

So Solution 1, should be simpler.
Dawn Charangat
Ranch Hand

Joined: Apr 26, 2007
Posts: 249
Hey there.... I guess may be the binary system can come to your rescue.
You said you have 3 check boxes right ? and a single field in the database table to store the value...
How about this ->

000 - 0
001 - 1
010 - 2
011 - 3
100 - 4

...and so on.....

Dawn
Viv Singh
Ranch Hand

Joined: Nov 08, 2008
Posts: 73
I solved it using the "binary system".

I have a question about the security configuration in the web.xml now:

The system contains 8 roles (2^3) as I have three "types" of resources.

000 - Role: 0
001 - Role: 1
010 - Role: 2
011 - Role: 3
100 - Role: 4
101 - Role: 5
110 - Role: 6
111 - Role: 7

Now I did the following in the web.xml:



(This does not show all the pages, just a part of it).

E.g. the user with the roles either 4 or 5 or 6 or 7: should be able to see/access the following:
portal/index.jsp, portal/logout.jsp, portal/page1.jsp, portal/page2.jsp and portal/page3.jsp

Is this the correct way of implementing the security, or do I have to specifiy the constraint of each type of role seperate?

thanks in advance.
Mark Spritzler
ranger
Sheriff

Joined: Feb 05, 2001
Posts: 17249
    
    6

Personally, I have always hated the binary solution to solve problems like this. Mostly because of maintenance issues. Lets say a new role gets added, lets say you get a new developer and you are no longer there. They now have to go and try and figure out what was done.

Also, having individual names for each role is so much easier to understand and therefore maintain.

Maintenance is the #1 most expensive part of software development, so anytime you can use a simpler cleaner solution the better.

My 2 cents.

Mark


Perfect World Programming, LLC - Two Laptop Bag - Tube Organizer
How to Ask Questions the Smart Way FAQ
Viv Singh
Ranch Hand

Joined: Nov 08, 2008
Posts: 73
Mark Spritzler wrote:Personally, I have always hated the binary solution to solve problems like this. Mostly because of maintenance issues. Lets say a new role gets added, lets say you get a new developer and you are no longer there. They now have to go and try and figure out what was done.

Also, having individual names for each role is so much easier to understand and therefore maintain.

Maintenance is the #1 most expensive part of software development, so anytime you can use a simpler cleaner solution the better.

My 2 cents.

Mark


Thanks. Could you suggest any other solution?
Viv Singh
Ranch Hand

Joined: Nov 08, 2008
Posts: 73
I am having problem with specifying the security controls:

I have 6 roles in the system 1,2,3,...6.

index.jsp and logout.jsp should be accessible for all roles.
Whereas other resources are restricted.

I did the following:



However, this is not working. E.g. if i have a user with the role 7 and I try to access users.jsp I get the 405 error.

Any help will be appreciated.
Mark Spritzler
ranger
Sheriff

Joined: Feb 05, 2001
Posts: 17249
    
    6

Well, I use Spring MVC and Spring Security, so I just have roles with more descriptive names, and then I just have a configuration file that defines my security on pages, so I can put in a URL in the configuration and say that you must have any one of a comma seperated roles.

You can check out the Security documentation out at www.springframework.org

Mark
Viv Singh
Ranch Hand

Joined: Nov 08, 2008
Posts: 73
Hi,

I wont be able to use the spring framework.

Am I doing something wrong in my web.xml where I define the security rules?

E.g. If the user with the role 7 tries to access porta/users.jsp I get the 403 (HTTP Status 403 - Access to the requested resource has been denied) error but if the user with the role 7 tries to access statistics.jsp it works perfectly fine.

Any help or suggestions will be appreciated.
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: Tips on form-based authetication
 
Similar Threads
regarding html:checkbox
Checkboxes?
checkboxes from a query , How to ?????
CheckBox Status
create dynamic checkboxes