ݺߣ

ݺߣShare a Scribd company logo

Lecture18

Download as PPT, PDF
C
Châu Thanh Chương

The document discusses user authentication and security roles in server-side web programming. It describes restricting access to web resources based on user roles, such as allowing only instructors to create online quizzes. User roles can be defined and mapped to specific resources. Authentication can be implemented using Tomcat's role-based authentication or by defining users and roles in a database. Basic and form-based authentication methods are also summarized.

1 of 17
Download to read offline
Server-side Web Programming Lecture 18: User Authentication and Security Roles
Restricting Access to Web Resources May only want some users to be able to access certain pages Example: Course web site Course Syllabus View Current Grade Take Online Quiz Set Grades Create Online Quiz Students registered for course Anyone Instructor
Security Roles and Resources Define what types of users have access to what types of resources Note that roles may overlap Some roles may have access to multiple resources Add to inventory Change prices in inventory View salaries Change salaries Inventory Role HR Role Manager Role View inventory
Security Roles and Users Users have roles Controls what resources and individual user has access to A user may have multiple roles Manager Burns Inventory, HR Smithers HR Marge Inventory Homer Role(s) User
User Identification Password-based in Tomcat Not most secure method! Tomcat Resource Request for resource Response prompts for username and password Request contains username, password Sent as response if correct Error page sent as response if incorrect
Defining Roles in Tomcat In web.xml file of application First define roles
Defining Roles in Tomcat Define resources those roles have access to Simplest method: Create subdirectory off of main application directory Use a url pattern of the form / subdirectory /* to define secure areas /employee/* /manager/* Files in here only accessible by employee role Files in here only accessible by manager role
Defining Roles in Tomcat <security-constraint> tag <web-resource-collection> tag defines what directories are restricted <auth-constraint> tag defines which roles have access Files in this subdirectory May only be accessed by users in these roles
Defining User Roles in Tomcat For each user: Username and password Role(s) they assume Where can they be stored? tomcat-users.xml file in conf directory Simple to implement Difficult to manage if have thousands of users in dozens of roles Separate database
User Roles in tomcat-users.xml In tomcat-users.xml file: Define roles with <role> tag Define users with <user> tag Username, password, and roles defined Roles can be list
Defining User Roles in a Database Must provide information about database in context.xml Subdirectory of META-INF in application directory Add tag of form: <Realm className=“org.apache.catalina.realm.JDBCRealm” driverName=“com.mysql.jdbc.Driver” connectionURL=“jdbc:mysql://localhost:8080/users” connectionName=“root” connectionPassword=“sesame” userTable=“Passwords” userRoleTable=“Roles” userNameCol=“Name” userCredCol=“Password” roleNameCol=“Role” /> Driver name URL and name of database Name and password to access database Name of tables with passwords and roles Field names: Password table uses userNameCol, userCredCol Roles table uses userNameCol, roleNameCOl
Defining User Roles in a Database Form of database tables: Passwords Roles donut Homer excellent Burns Password Name employee Homer manager Burns Role Name
Types of Authentication BASIC Password prompt generated automatically FORM Can define own prompt and error pages
BASIC Authentication Add <login-config> tag to web.xml Will continue to prompt as long as login incorrect
FORM Authentication Must specify login page and error page
FORM Authentication ACTION of login form must be j_security_check Must use specific field names in login form Name field must be j_username Password field must be j_password
FORM Authentication

More Related Content

Lecture18

  • 1. Server-side Web Programming Lecture 18: User Authentication and Security Roles
  • 2. Restricting Access to Web Resources May only want some users to be able to access certain pages Example: Course web site Course Syllabus View Current Grade Take Online Quiz Set Grades Create Online Quiz Students registered for course Anyone Instructor
  • 3. Security Roles and Resources Define what types of users have access to what types of resources Note that roles may overlap Some roles may have access to multiple resources Add to inventory Change prices in inventory View salaries Change salaries Inventory Role HR Role Manager Role View inventory
  • 4. Security Roles and Users Users have roles Controls what resources and individual user has access to A user may have multiple roles Manager Burns Inventory, HR Smithers HR Marge Inventory Homer Role(s) User
  • 5. User Identification Password-based in Tomcat Not most secure method! Tomcat Resource Request for resource Response prompts for username and password Request contains username, password Sent as response if correct Error page sent as response if incorrect
  • 6. Defining Roles in Tomcat In web.xml file of application First define roles
  • 7. Defining Roles in Tomcat Define resources those roles have access to Simplest method: Create subdirectory off of main application directory Use a url pattern of the form / subdirectory /* to define secure areas /employee/* /manager/* Files in here only accessible by employee role Files in here only accessible by manager role
  • 8. Defining Roles in Tomcat <security-constraint> tag <web-resource-collection> tag defines what directories are restricted <auth-constraint> tag defines which roles have access Files in this subdirectory May only be accessed by users in these roles
  • 9. Defining User Roles in Tomcat For each user: Username and password Role(s) they assume Where can they be stored? tomcat-users.xml file in conf directory Simple to implement Difficult to manage if have thousands of users in dozens of roles Separate database
  • 10. User Roles in tomcat-users.xml In tomcat-users.xml file: Define roles with <role> tag Define users with <user> tag Username, password, and roles defined Roles can be list
  • 11. Defining User Roles in a Database Must provide information about database in context.xml Subdirectory of META-INF in application directory Add tag of form: <Realm className=“org.apache.catalina.realm.JDBCRealm” driverName=“com.mysql.jdbc.Driver” connectionURL=“jdbc:mysql://localhost:8080/users” connectionName=“root” connectionPassword=“sesame” userTable=“Passwords” userRoleTable=“Roles” userNameCol=“Name” userCredCol=“Password” roleNameCol=“Role” /> Driver name URL and name of database Name and password to access database Name of tables with passwords and roles Field names: Password table uses userNameCol, userCredCol Roles table uses userNameCol, roleNameCOl
  • 12. Defining User Roles in a Database Form of database tables: Passwords Roles donut Homer excellent Burns Password Name employee Homer manager Burns Role Name
  • 13. Types of Authentication BASIC Password prompt generated automatically FORM Can define own prompt and error pages
  • 14. BASIC Authentication Add <login-config> tag to web.xml Will continue to prompt as long as login incorrect
  • 15. FORM Authentication Must specify login page and error page
  • 16. FORM Authentication ACTION of login form must be j_security_check Must use specific field names in login form Name field must be j_username Password field must be j_password