• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

Login Authentication with tomcat

 
Ranch Hand
Posts: 76
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I know there is a jsecurity_check, that prevents unauthorised users from accessing if one has not login, but that may not be secure enough as
username and password are stored in tomcatusers.xml

Also, there is also a realm that can authenticate based on jdbc mysql database, but the password username to mysql database are also stored in .xml file
May I know if there is a more secure way of authentication, or is there any way I can prevent password ,username in plaintext that is stored in a xml file?
 
cle tan
Ranch Hand
Posts: 76
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
wanted to ask if tomcat is secure
as database username and password are in located in META-INF->context.xml

 
Saloon Keeper
Posts: 27763
196
Android Eclipse IDE Tomcat Server Redhat Java Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
"j_security_check" is a special FORM value that instructs the built-in login processor that the form in question contains the login credential values j_ user/password. It is not a URL, so you cannot invoke it directly. It only works on pages that were posted out by the J2EE security services in response to a request for a security-controlled resource.

The actual security authentication and validation is managed by plug-in modules known as Realms. There are quite a number of pre-supplied Realms, plus you can write your own if you need something different. Some Realms use databases as their reference data sources. Some use LDAP directories. Only a very small number of them use the tomcat conf/tomcat-users.xml file, and those Realms are generally used for testing, not real-world applications.

The built-in security system used by Tomcat is part of the J2EE container-managed security spec. It was designed by security professionals employing best practices, and if there has ever been an incidence where it has been defeated, I have not heard of it.

It sounds like you may be concerned about the fact that the credentials for the JDBC realm's login to its reference database are plain-text. This isn't as big a problem as it seems, since the access rights for the login process user can be made to be very minimal and the actual account passwords in the database can be stored in encrypted form (and should be). I hope that META-INF and it subdirectories are invisible to access via HTTP request just like WEB-INF is, although I'd never considered the fact and haven't read any specs that definitely say so. In any event, the way to ensure true security against possible access to the Realm definition is to provide an external Context definition to Tomcat itself. That Context will override the META-INF/context.xml.

Also, one additional bit of comfort: external web users should not be able to access the password database directly via stolen credentials because the database jdbc ports should be firewalled from the outside world.

The most critical thing you can address is the overall security of the server machines themselves. Tomcat is pretty much proof against a direct attack, but if someone can gain a foothold into one of the server machines, then you're pretty much already plundered, Tomcat or not.
 
cle tan
Ranch Hand
Posts: 76
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
looks like the best bet for authentication with tomcat is using realm

what do you mean realms is just for testing applications, and not real life applications?
 
Tim Holloway
Saloon Keeper
Posts: 27763
196
Android Eclipse IDE Tomcat Server Redhat Java Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
The nice thing about Realms is that they are completely plug-compatible. The MemoryRealm was the original Realm that used the tomcat-users.xml file. It suffered from the limitation that new/updated accounts could only be seen by stopping and restarting Tomcat. Changes made while Tomcat was running would not be picked up. There are 1 or 2 newer Realms that extend the concept and are a little more flexible, but they all have the fundamental constraint that in order to update them a security administrator needs to have local filesystem access rights to tomcat-users.xml. That's fine for testing where the developer is running Tomcat directly, but in the Enterprise, it's usually more convenient and more secure to keep that sort of data in a database or LDAP/Active Directory server.
 
cle tan
Ranch Hand
Posts: 76
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
wanted to ask are there any login administrator templates in spring eclipse(spring or spring roo,I heard there is one).
I do not want to create a login page from scratch if there are templates around, templates something like ASP.net web forms will be useful for me.
 
Tim Holloway
Saloon Keeper
Posts: 27763
196
Android Eclipse IDE Tomcat Server Redhat Java Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
A J2EE container login page is an HTML or JSP page containing a FORM whose action is j_security_check with 2 input text fields (j_username and j_password) plus a SUBMIT.

That's about all I put on my login pages other than a "Login Please" h1 caption element. I don't want to make the page to look friendly to unauthorized personnel and it's not really safe to put anything distracting on a login page anyway. Any CSS or images on the page are generally recycled from the rest of my website.
 
cle tan
Ranch Hand
Posts: 76
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
i want to ask is it possible to apply realm jsecurity authentication to only 1 webapp?
 
Tim Holloway
Saloon Keeper
Posts: 27763
196
Android Eclipse IDE Tomcat Server Redhat Java Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

cle tan wrote:i want to ask is it possible to apply realm jsecurity authentication to only 1 webapp?



Yes. You can define a Realm at both the Host and Context levels, and the Context-level Realm overrides the Host-level Realm. Since a Context is what defines a single webapp instance, a Realm definition on the Context will manage security only for that webapp instance.
 
With a little knowledge, a cast iron skillet is non-stick and lasts a lifetime.
reply
    Bookmark Topic Watch Topic
  • New Topic