• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Tim Cooke
  • Liutauras Vilda
  • Jeanne Boyarsky
  • paul wheaton
Sheriffs:
  • Ron McLeod
  • Devaka Cooray
  • Henry Wong
Saloon Keepers:
  • Tim Holloway
  • Stephan van Hulst
  • Carey Brown
  • Tim Moores
  • Mikalai Zaikin
Bartenders:
  • Frits Walraven

Using realm password for db authentication

 
Ranch Hand
Posts: 384
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hello all,

I would like to user a password provided by the basic (UserDatabaseRealm) authentication and use it further on for database/jdbc authentication.

Is that possible? I was not able to find any getUserPassword in the servlet API...

Any suggestion?

Thanks in advance,

Julien.
 
Rancher
Posts: 43081
77
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
UserDatabaseRealm looks up users in a file, not a database; use JDBCRealm or DataSourceRealm instead.

There is no need to retrieve the password in the web app, because the container handles all that (so it's actually a security precaution to not spread the password any further than necessary). The methods a web app would use to find out about an authenticated user are in HttpServletRequest: isUserInRole, getRemoteUser and getUserPrincipal.
 
Julien Martin
Ranch Hand
Posts: 384
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi Ulf,

My fault: I was not clear in my previous post.

I actually mean to use the retrieved user credentials for further authentication against a dabatabase (here using hibernate).

1. The user logs in using the web container mechanism.
2. I use his password for hibernate authentication.

Do you see what I mean?

Julien.
 
Ulf Dittmer
Rancher
Posts: 43081
77
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
So you're using the same username/password combinations both for the web server and the database server? I would recommend against that. Web passwords can get snooped, or be written down and read by unauthorized persons, and thus compromised. In that case, you don't want your database to be compromised, too.

What's more, Hibernate expects a single database username/password when creating a SessionFactory. So unless you are using a separate SessionFactory for each user (which would be rather unusual), this isn't really going to work.
 
Julien Martin
Ranch Hand
Posts: 384
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

So you're using the same username/password combinations both for the web server and the database server?


I am indeed. It is part of my company's SSO policy.

Do you think I have to perform a second authentication against our ldap directory?

What architecture do you suggest?

Julien.
 
Ulf Dittmer
Rancher
Posts: 43081
77
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Originally posted by Julien Martin:
Do you think I have to perform a second authentication against our ldap directory?



No. But generally, a single (or maybe very few) database account(s) can be used for all user activities. Once the user is authenticated in the web tier, it shouldn't be necessary to carry on the credentials further into the database tier. That makes it actually less secure, because a compromised web login means a compromised database login, which is often a more serious problem.

Note that I said "generally", because there may be circumstances where you need to have a database account for each user. Is that the case here? It would be kind of a pain to keep those in synch, though.

As far as Hibernate is concerned, you will need a separate SessionFactory for each database account.
 
Julien Martin
Ranch Hand
Posts: 384
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Thanks a lot for your detailed reply!
All the best,
Julien.
 
I love a good mentalist. And so does this tiny ad:
Gift giving made easy with the permaculture playing cards
https://coderanch.com/t/777758/Gift-giving-easy-permaculture-playing
reply
    Bookmark Topic Watch Topic
  • New Topic