authentication and security joshua scotton. sessions login and authentication
TRANSCRIPT
![Page 1: Authentication and Security Joshua Scotton. Sessions Login and Authentication](https://reader033.vdocuments.net/reader033/viewer/2022052820/551b2ef3550346dd1a8b4d09/html5/thumbnails/1.jpg)
Session HandlingAuthentication and Security
Joshua Scotton
![Page 2: Authentication and Security Joshua Scotton. Sessions Login and Authentication](https://reader033.vdocuments.net/reader033/viewer/2022052820/551b2ef3550346dd1a8b4d09/html5/thumbnails/2.jpg)
Sessions Login and Authentication
Overview
![Page 3: Authentication and Security Joshua Scotton. Sessions Login and Authentication](https://reader033.vdocuments.net/reader033/viewer/2022052820/551b2ef3550346dd1a8b4d09/html5/thumbnails/3.jpg)
SessionsTr a c k i n g t h e U s e r
![Page 4: Authentication and Security Joshua Scotton. Sessions Login and Authentication](https://reader033.vdocuments.net/reader033/viewer/2022052820/551b2ef3550346dd1a8b4d09/html5/thumbnails/4.jpg)
Cookies◦ Store a unique identifier in a cookie for the
website URL Rewriting
◦ Append a unique identifier to the end of each URL Hidden Form Fields
◦ <INPUT TYPE="HIDDEN" NAME="session" VALUE="...">
Tracking the User
![Page 5: Authentication and Security Joshua Scotton. Sessions Login and Authentication](https://reader033.vdocuments.net/reader033/viewer/2022052820/551b2ef3550346dd1a8b4d09/html5/thumbnails/5.jpg)
Customization◦ Adaptive Content◦ Adaptable Content
Security◦ Restrict areas of the site based on user◦ User login tracked using session
User Behaviour◦ Track page accesses
User Information◦ Store user settings and information
Benefits
![Page 6: Authentication and Security Joshua Scotton. Sessions Login and Authentication](https://reader033.vdocuments.net/reader033/viewer/2022052820/551b2ef3550346dd1a8b4d09/html5/thumbnails/6.jpg)
getAttribute(), getAttributeNames(), setAttribute(), removeAttribute()◦ These methods are used to set, get and remove objects from a user session
getId()◦ Every session created by the server has a unique 'id' associated with it in
order to identify this session from other sessions. getCreationTime()
◦ Simple returns a long value indicating the date and time this session was created.
getLastAccessedTime() ◦ Returns a long value indicating the last time user accessed any resource on
this server. getMaxInactiveInterval(), setMaxInactiveInterval()
◦ Return and set the maximum inactive interval in seconds for this session respectively.
isNew()◦ Returns a boolean value indicating if the session is new.
invalidate() ◦ Simply invalidates a session. Can be used for logout
javax.servlet.http.HttpSession
![Page 7: Authentication and Security Joshua Scotton. Sessions Login and Authentication](https://reader033.vdocuments.net/reader033/viewer/2022052820/551b2ef3550346dd1a8b4d09/html5/thumbnails/7.jpg)
Most Java servers will use cookies if the browser supports them, but automatically revert to URL-rewriting when cookies are unsupported or explicitly disabled.
Sessions in Java
![Page 8: Authentication and Security Joshua Scotton. Sessions Login and Authentication](https://reader033.vdocuments.net/reader033/viewer/2022052820/551b2ef3550346dd1a8b4d09/html5/thumbnails/8.jpg)
Sessions can be accessed and managed by both Servlets and JSPs.
This can happen in combination as in the following demo.
Counter Example
![Page 9: Authentication and Security Joshua Scotton. Sessions Login and Authentication](https://reader033.vdocuments.net/reader033/viewer/2022052820/551b2ef3550346dd1a8b4d09/html5/thumbnails/9.jpg)
public class CounterBean implements Serializable {private Integer count;
public CounterBean() {super();this.count = 0;
}
public Integer getCount() { return this.count; }
public void setCount(Integer count) { this.count = count; }
public void incrementCount() { this.count++; }}
CounterBean
![Page 10: Authentication and Security Joshua Scotton. Sessions Login and Authentication](https://reader033.vdocuments.net/reader033/viewer/2022052820/551b2ef3550346dd1a8b4d09/html5/thumbnails/10.jpg)
<jsp:useBean id="counter" class="webdev.examples.sessions.CounterBean" scope="session"/>
<p>The counter was: <%= counter.getCount() %></p><% counter.incrementCount(); %><p>The counter is now: <%= counter.getCount() %></p>
UpdateCounter.jsp
![Page 11: Authentication and Security Joshua Scotton. Sessions Login and Authentication](https://reader033.vdocuments.net/reader033/viewer/2022052820/551b2ef3550346dd1a8b4d09/html5/thumbnails/11.jpg)
PrintWriter out = response.getWriter();HttpSession session = request.getSession(true);CounterBean counter;
if(session.isNew()) {counter = new CounterBean();session.setAttribute("counter", counter);
}
counter = ((CounterBean)session.getAttribute("counter"));
counter.incrementCount();out.println("Counter now: " + counter.getCount());out.close();
UpdateCounter Servlet
![Page 12: Authentication and Security Joshua Scotton. Sessions Login and Authentication](https://reader033.vdocuments.net/reader033/viewer/2022052820/551b2ef3550346dd1a8b4d09/html5/thumbnails/12.jpg)
Login and Authentication
Allowing Persistent Storage
![Page 13: Authentication and Security Joshua Scotton. Sessions Login and Authentication](https://reader033.vdocuments.net/reader033/viewer/2022052820/551b2ef3550346dd1a8b4d09/html5/thumbnails/13.jpg)
1. A user accesses a protected page2. If the user is authenticated and has
permission to access the page then the resource is made available. Otherwise a login page is shown
3. If the name and password cannot be authenticated then an error is shown
JSP and Servlet Authentication
![Page 14: Authentication and Security Joshua Scotton. Sessions Login and Authentication](https://reader033.vdocuments.net/reader033/viewer/2022052820/551b2ef3550346dd1a8b4d09/html5/thumbnails/14.jpg)
User/Group Database Access Control List (ACL) Login Page
Security Setup
![Page 15: Authentication and Security Joshua Scotton. Sessions Login and Authentication](https://reader033.vdocuments.net/reader033/viewer/2022052820/551b2ef3550346dd1a8b4d09/html5/thumbnails/15.jpg)
A Principal is a named entity, commonly representing an individual or corporation.
Principal’s can fill one or more Roles. Resources can be protected by associating
them with Roles. Principals and Roles are similar to Users and
Groups in Linux.
Principals and Roles
![Page 16: Authentication and Security Joshua Scotton. Sessions Login and Authentication](https://reader033.vdocuments.net/reader033/viewer/2022052820/551b2ef3550346dd1a8b4d09/html5/thumbnails/16.jpg)
<web-app> ... <security-constraint> <web-resource-collection><web-resource-name>Protected Page</web-resource-name>
<url-pattern>/secretPage.jsp
</url-pattern></web-resource-collection> <auth-constraint>
<role-name>employee</role-name></auth-constraint>
</security-constraint><security-role><role-name>employee</role-name>
</security-role><web-app>
/WEB_INF/web.xmlThe ACL of Java
![Page 17: Authentication and Security Joshua Scotton. Sessions Login and Authentication](https://reader033.vdocuments.net/reader033/viewer/2022052820/551b2ef3550346dd1a8b4d09/html5/thumbnails/17.jpg)
<url-pattern>/members/*</url-pattern> More than one url-pattern in the web-
resource-collection
/WEB_INF/web.xml
![Page 18: Authentication and Security Joshua Scotton. Sessions Login and Authentication](https://reader033.vdocuments.net/reader033/viewer/2022052820/551b2ef3550346dd1a8b4d09/html5/thumbnails/18.jpg)
Principal getUserPrincipal()◦ Returns a reference to a java.security.Principal
boolean isUserInRole(String)◦ Determines whether a user is in a role, specified
by the string argument String getRemoteUser()
◦ Returns the username that was used for login
HttpServletRequest Security Methods
![Page 19: Authentication and Security Joshua Scotton. Sessions Login and Authentication](https://reader033.vdocuments.net/reader033/viewer/2022052820/551b2ef3550346dd1a8b4d09/html5/thumbnails/19.jpg)
String getAuthType()◦ Returns the authentication type: BASIC, SSL, or
null boolean isSecure()
◦ Returns true if the connection is HTTPS String getScheme()
◦ Scheme represents transport mechanism: http, https...
ServletRequest Security Methods
![Page 20: Authentication and Security Joshua Scotton. Sessions Login and Authentication](https://reader033.vdocuments.net/reader033/viewer/2022052820/551b2ef3550346dd1a8b4d09/html5/thumbnails/20.jpg)
Basic authentication Form-based authentication Digest authentication SSL and client certificate authentication
Authentication Types
![Page 21: Authentication and Security Joshua Scotton. Sessions Login and Authentication](https://reader033.vdocuments.net/reader033/viewer/2022052820/551b2ef3550346dd1a8b4d09/html5/thumbnails/21.jpg)
<web-app> ... <login-config>
<auth-method>BASIC</auth-method> <realm-name>Basic Authentication
Example</realm-name></login-config>
...</web-app>
Authentication Type in /WEB_INF/web.xml
![Page 22: Authentication and Security Joshua Scotton. Sessions Login and Authentication](https://reader033.vdocuments.net/reader033/viewer/2022052820/551b2ef3550346dd1a8b4d09/html5/thumbnails/22.jpg)
A realm is a database of usernames and passwords
It also contains a list of roles associated with each user
Realms are specific to the server being used
Realms
![Page 23: Authentication and Security Joshua Scotton. Sessions Login and Authentication](https://reader033.vdocuments.net/reader033/viewer/2022052820/551b2ef3550346dd1a8b4d09/html5/thumbnails/23.jpg)
JDBCRealm - Accesses authentication information stored in a relational database, accessed via a JDBC driver.
DataSourceRealm - Accesses authentication information stored in a relational database, accessed via a named JNDI JDBC DataSource.
JNDIRealm - Accesses authentication information stored in an LDAP based directory server, accessed via a JNDI provider.
UserDatabaseRealm - Accesses authentication information stored in an UserDatabase JNDI resource, which is typically backed by an XML document (conf/tomcat-users.xml).
MemoryRealm - Accesses authentication information stored in an in-memory object collection, which is initialized from an XML document (conf/tomcat-users.xml).
JAASRealm - Accesses authentication information through the Java Authentication & Authorization Service (JAAS) framework.
Tomcat Realms
![Page 24: Authentication and Security Joshua Scotton. Sessions Login and Authentication](https://reader033.vdocuments.net/reader033/viewer/2022052820/551b2ef3550346dd1a8b4d09/html5/thumbnails/24.jpg)
<Realm className="... class name for this implementation" ... other attributes for this implementation .../>
Serverwide - conf/server.xml Per Webapp – META-INF/context.xml
Configuring a Realm
![Page 25: Authentication and Security Joshua Scotton. Sessions Login and Authentication](https://reader033.vdocuments.net/reader033/viewer/2022052820/551b2ef3550346dd1a8b4d09/html5/thumbnails/25.jpg)
<?xml version="1.0" encoding="UTF-8"><Context><Realm className="org.apache.catalina.realm.MemoryRealm" />
</Context>
In Memory Realm Context.xml
![Page 26: Authentication and Security Joshua Scotton. Sessions Login and Authentication](https://reader033.vdocuments.net/reader033/viewer/2022052820/551b2ef3550346dd1a8b4d09/html5/thumbnails/26.jpg)
$TOMCAT_HOME/conf/tomcat-users.xml<tomcat-users> <role rolename="tomcat"/><role rolename="role1"/><user username="tomcat" password="tomcat“
roles="tomcat"/><user username="both" password="tomcat“
roles="tomcat,role1"/><user username="role1" password="tomcat“
roles="role1"/></tomcat-users>
Default Tomcat User List
![Page 27: Authentication and Security Joshua Scotton. Sessions Login and Authentication](https://reader033.vdocuments.net/reader033/viewer/2022052820/551b2ef3550346dd1a8b4d09/html5/thumbnails/27.jpg)
members.jsp web.xml context.xml
Example – members.jsp
![Page 28: Authentication and Security Joshua Scotton. Sessions Login and Authentication](https://reader033.vdocuments.net/reader033/viewer/2022052820/551b2ef3550346dd1a8b4d09/html5/thumbnails/28.jpg)
<p>User '<%= request.getRemoteUser() %>' has been logged out.</p>
<% session.invalidate(); %>
Example – logout.jsp
![Page 29: Authentication and Security Joshua Scotton. Sessions Login and Authentication](https://reader033.vdocuments.net/reader033/viewer/2022052820/551b2ef3550346dd1a8b4d09/html5/thumbnails/29.jpg)
1. The login form associated with the security constraint is sent to the client and the URL path triggering the authentication is stored by the container.
2. The user is asked to fill out the form, including the username and password fields.
3. The client posts the form back to the server. 4. The container attempts to authenticate the user using the
information from the form. 5. If authentication fails, the error page is returned using either a
forward or a redirect, and the status code of the response is set to 200.
6. If authentication succeeds, the authenticated user's principal is checked to see if it is in an authorized role for accessing the resource.
7. If the user is authorized, the client is redirected to the resource using the stored URL path.
Form-based Authentication
![Page 30: Authentication and Security Joshua Scotton. Sessions Login and Authentication](https://reader033.vdocuments.net/reader033/viewer/2022052820/551b2ef3550346dd1a8b4d09/html5/thumbnails/30.jpg)
Create custom login page with the following form fields:◦ j_username
The name of the username field◦ j_password
The name of the password field◦ j_security_check
The login form's action<form method='post' action='j_security_check'><input type='text' name='j_username'> <input type='password' name='j_password'>
</form>
Form-based Authentication
![Page 31: Authentication and Security Joshua Scotton. Sessions Login and Authentication](https://reader033.vdocuments.net/reader033/viewer/2022052820/551b2ef3550346dd1a8b4d09/html5/thumbnails/31.jpg)
<login-config> <auth-method>FORM</auth-method> <form-login-config> <form-login-page>
/login.jsp</form-login-page> <form-error-page>
/error.jsp</form-error-page>
</form-login-config> </login-config>
Form-based Auth in web.xml
![Page 32: Authentication and Security Joshua Scotton. Sessions Login and Authentication](https://reader033.vdocuments.net/reader033/viewer/2022052820/551b2ef3550346dd1a8b4d09/html5/thumbnails/32.jpg)
Form Based Login Example
![Page 33: Authentication and Security Joshua Scotton. Sessions Login and Authentication](https://reader033.vdocuments.net/reader033/viewer/2022052820/551b2ef3550346dd1a8b4d09/html5/thumbnails/33.jpg)
Use a JDBC Database Realm
Create table of usernames and passwords Create table of usernames and roles Column name for the username must be the
same in both tables
Storing Authentication Details in a Database
![Page 34: Authentication and Security Joshua Scotton. Sessions Login and Authentication](https://reader033.vdocuments.net/reader033/viewer/2022052820/551b2ef3550346dd1a8b4d09/html5/thumbnails/34.jpg)
connectionName connectionPassword connectionURL driverName roleNameCol userCredCol userNameCol userRoleTable userTable http://tomcat.apache.org/tomcat-3.3-doc/
JDBCRealm-howto.html
org.apache.catalina.realm.JDBCRealm