aspose file tools*
The moose likes Tomcat and the fly likes Login Authentication with tomcat Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Products » Tomcat
Bookmark "Login Authentication with tomcat" Watch "Login Authentication with tomcat" New topic
Author

Login Authentication with tomcat

cle tan
Ranch Hand

Joined: Jun 11, 2012
Posts: 68
I know there is a jsecurity_check, that prevents unauthorised users from accessing if one has not login, but that may not be secure enough as
username and password are stored in tomcatusers.xml

Also, there is also a realm that can authenticate based on jdbc mysql database, but the password username to mysql database are also stored in .xml file
May I know if there is a more secure way of authentication, or is there any way I can prevent password ,username in plaintext that is stored in a xml file?
cle tan
Ranch Hand

Joined: Jun 11, 2012
Posts: 68
wanted to ask if tomcat is secure
as database username and password are in located in META-INF->context.xml

Tim Holloway
Saloon Keeper

Joined: Jun 25, 2001
Posts: 16070
    
  21

"j_security_check" is a special FORM value that instructs the built-in login processor that the form in question contains the login credential values j_ user/password. It is not a URL, so you cannot invoke it directly. It only works on pages that were posted out by the J2EE security services in response to a request for a security-controlled resource.

The actual security authentication and validation is managed by plug-in modules known as Realms. There are quite a number of pre-supplied Realms, plus you can write your own if you need something different. Some Realms use databases as their reference data sources. Some use LDAP directories. Only a very small number of them use the tomcat conf/tomcat-users.xml file, and those Realms are generally used for testing, not real-world applications.

The built-in security system used by Tomcat is part of the J2EE container-managed security spec. It was designed by security professionals employing best practices, and if there has ever been an incidence where it has been defeated, I have not heard of it.

It sounds like you may be concerned about the fact that the credentials for the JDBC realm's login to its reference database are plain-text. This isn't as big a problem as it seems, since the access rights for the login process user can be made to be very minimal and the actual account passwords in the database can be stored in encrypted form (and should be). I hope that META-INF and it subdirectories are invisible to access via HTTP request just like WEB-INF is, although I'd never considered the fact and haven't read any specs that definitely say so. In any event, the way to ensure true security against possible access to the Realm definition is to provide an external Context definition to Tomcat itself. That Context will override the META-INF/context.xml.

Also, one additional bit of comfort: external web users should not be able to access the password database directly via stolen credentials because the database jdbc ports should be firewalled from the outside world.

The most critical thing you can address is the overall security of the server machines themselves. Tomcat is pretty much proof against a direct attack, but if someone can gain a foothold into one of the server machines, then you're pretty much already plundered, Tomcat or not.


Customer surveys are for companies who didn't pay proper attention to begin with.
cle tan
Ranch Hand

Joined: Jun 11, 2012
Posts: 68
looks like the best bet for authentication with tomcat is using realm

what do you mean realms is just for testing applications, and not real life applications?
Tim Holloway
Saloon Keeper

Joined: Jun 25, 2001
Posts: 16070
    
  21

The nice thing about Realms is that they are completely plug-compatible. The MemoryRealm was the original Realm that used the tomcat-users.xml file. It suffered from the limitation that new/updated accounts could only be seen by stopping and restarting Tomcat. Changes made while Tomcat was running would not be picked up. There are 1 or 2 newer Realms that extend the concept and are a little more flexible, but they all have the fundamental constraint that in order to update them a security administrator needs to have local filesystem access rights to tomcat-users.xml. That's fine for testing where the developer is running Tomcat directly, but in the Enterprise, it's usually more convenient and more secure to keep that sort of data in a database or LDAP/Active Directory server.
cle tan
Ranch Hand

Joined: Jun 11, 2012
Posts: 68
wanted to ask are there any login administrator templates in spring eclipse(spring or spring roo,I heard there is one).
I do not want to create a login page from scratch if there are templates around, templates something like ASP.net web forms will be useful for me.
Tim Holloway
Saloon Keeper

Joined: Jun 25, 2001
Posts: 16070
    
  21

A J2EE container login page is an HTML or JSP page containing a FORM whose action is j_security_check with 2 input text fields (j_username and j_password) plus a SUBMIT.

That's about all I put on my login pages other than a "Login Please" h1 caption element. I don't want to make the page to look friendly to unauthorized personnel and it's not really safe to put anything distracting on a login page anyway. Any CSS or images on the page are generally recycled from the rest of my website.
cle tan
Ranch Hand

Joined: Jun 11, 2012
Posts: 68
i want to ask is it possible to apply realm jsecurity authentication to only 1 webapp?
Tim Holloway
Saloon Keeper

Joined: Jun 25, 2001
Posts: 16070
    
  21

cle tan wrote:i want to ask is it possible to apply realm jsecurity authentication to only 1 webapp?


Yes. You can define a Realm at both the Host and Context levels, and the Context-level Realm overrides the Host-level Realm. Since a Context is what defines a single webapp instance, a Realm definition on the Context will manage security only for that webapp instance.
 
 
subject: Login Authentication with tomcat