File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
http://aspose.com/file-tools
The moose likes Security and the fly likes Custom JDBC realm authentication Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of EJB 3 in Action this week in the EJB and other Java EE Technologies forum!
JavaRanch » Java Forums » Engineering » Security
Bookmark "Custom JDBC realm authentication" Watch "Custom JDBC realm authentication" New topic
Author

Custom JDBC realm authentication

ahmed yehia
Ranch Hand

Joined: Apr 22, 2006
Posts: 424
I am having an issue to do a custom JDBC realm secure-login authentication, which container-based implementation may not satisfy.
But I m not very sure on the way to go.

The application is a JSF-based web app currently configured to container(Tomcat) declarative security.

1- login, register forms in the index page, should guarantee sufficient security in transmition.
*index page should preferably not use HTTS* and also need to digest passwords before authenticating DB.

2- should still use container-based implementations in other cases through out the application.

3- maintain container-based declarative security.

4- should handle remember me feature.
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 39547
    
  27
Using HTTPS is largely independent of using authentication. The application will need to create appropriate absolute URLs with the desired protocol, though.

You can't really embed a login form within some other page when using container-managed security. The container will redirect to the login form if a protected resource is accessed and the user wasn't authenticated yet.

While it's possible to extend the Tomcat-provided realm implementations through subclassing, I'm not sure if that'd be sufficient to implement something like persistent login cookies; I suspect not. (Note that the JDBC realm already supports digested passwords.)

These various shortcomings are the reason many folks shy away from container-managed authentication and implement their own login modules instead. It's not that hard, and can be used over and over in other web apps later.


Ping & DNS - updated with new look and Ping home screen widget
ahmed yehia
Ranch Hand

Joined: Apr 22, 2006
Posts: 424
Ulf Dittmer wrote:Using HTTPS is largely independent of using authentication. The application will need to create appropriate absolute URLs with the desired protocol, though.

If you could please elaborate on this and how HTTPS is independent of using authentication. I have seen many popular web sites, including our Ranch that do not use HTTS in their login window, it seems interesting. What could be other options though.

Also I have searched available security frameworks, to see if any can satisfy my mentioned requirements.
Taking a high-level overview. Cocoon for example.

Also folks around talk about extending the container-managed authentication and do their own; like you said.
This might be an option to go by. But it still not a trivial matter to decide the way to go.
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 39547
    
  27
If you could please elaborate on this and how HTTPS is independent of using authentication.

Not sure what you're asking. You can use HTTPS with or without authentication. You can use authentication with or without HTTPS. The two don't really have anything to do with each other.

Cocoon for example.
Are you talking about the XML publishing framework? What does that have to do with any security aspects?

Also folks around talk about extending the container-managed authentication and do their own; like you said. This might be an option to go by. But it still not a trivial matter to decide the way to go.

Personally, I've long since stopped using container-managed security. It's just not flexible and powerful enough for my purposes. My own login module does everything I need it to do, and does it exactly the way I want it done :-)

If you're interested in extending an existing realm implementation, check out this article I wrote for the JavaRanch Journal. It has an example of such a beast in the section "Integration with Tomcat Realms".
ahmed yehia
Ranch Hand

Joined: Apr 22, 2006
Posts: 424
You can use authentication with or without HTTPS. The two don't really have anything to do with each other.

What I want to know here, is that if we don't use HTTS to transmit user authentication info, then what are other options are available for use in a web app.
Also, how much security we can obtain when using HTTS or other methods, in order to achieve a robust security system, with focus mostly on user Authentication.

Cocoon for example.

Thats the one I found. Authentication Framework


Interesting! although the subject is mainly WS, its useful. Thank you.

Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 39547
    
  27
What I want to know here, is that if we don't use HTTS to transmit user authentication info, then what are other options are available for use in a web app.
Also, how much security we can obtain when using HTTS or other methods, in order to achieve a robust security system, with focus mostly on user Authentication.

HTTPS is used for encrypted web traffic, not for authentication. For authentication you have BASIC, DIGEST, FORM and CERTIFICATE. But those have nothing to do with HTTPS.

Whether web traffic needs to be encrypted, or whether it needs to be authenticated, are two unrelated questions, with unrelated solutions.
ahmed yehia
Ranch Hand

Joined: Apr 22, 2006
Posts: 424
HTTPS is used for encrypted web traffic, not for authentication. For authentication you have BASIC, DIGEST, FORM and CERTIFICATE.

Per my understanding, HTTPS is used to protect data in transmission, and Form based authentication
which is widely used all across the internet, has the least security features (i.e no data encryption)
hence web traffic is exposed to vulnerability.

What I want to know is that if we use HTTPS for login forms, would that be sufficient to grant security, I suspect its not always the case.
And if we don't use HTTPS, what could be alternatives to achieve that goal.





Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 39547
    
  27
It doesn't make sense to say "authentication has the least security features" - it solves part of the security problem. HTTPS solves a different part.

And no, using HTTPS by itself does not make a form secure. There are any number of ways in which the form could still be insecure (think about XSS or SQL-injection attacks).

It all depends on what you're trying to guard against. There are scenarios in which HTTPS wouldn't be as useful as other security measures, and there are scenarios in which it would be indispensable.

So before thinking about what security measures to put in place, you need to think about what you're trying to protect, and which kinds of attacks you're trying to guard against. An analysis of the risks the application faces, and the potential cost of those risks would be part of that.
ahmed yehia
Ranch Hand

Joined: Apr 22, 2006
Posts: 424
Thank you Ulf


 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: Custom JDBC realm authentication
 
Similar Threads
how to display default page after jsp authentication
Form based authentication / Realms
Java for log in authentication? (looking for tutorial that applies to situation)
how to let Java login tomcat form authorization
Which authentication method to use ?