Re: More JDBCRealm Questions

[@Basebeans.com]

Subject: Re: More JDBCRealm Questions
From: "Vic C." <[EMAIL PROTECTED]>
 ===


Soefara Redzuan wrote:
> 
> I have set up a JDBCRealm and am using it with form-based login to
> secure/protect my webapp.  However, I have a few questions which I
> hope somebody could help me with,
> 
> 1. The JDBCRealm is set up with the following in server.xml.
> 
> driverName="org.gjt.mm.mysql.Driver"
> connectionURL="jdbc:mysql://localhost/authentication"
> userTable="users" userNameCol="user_name" userCredCol="user_pass"
> userRoleTable="user_roles" roleNameCol="role_name"/>
> 
>However, I have noticed that this requires the password (stored in
>the user_pass column) to be clear text, which I really don't like doing.
>Is there any way to have store the passwords as hashes (ie. using the
>password() function in MySQL) ?


http://jakarta.apache.org/tomcat/tomcat-4.1-doc/realm-howto.html#JDBCRealm
plus ssl should work

> 
> 2. I read that "a call to j_security_check will be made by every attempt
>   access your secured pages".  Since I am protecting every page in my
>   webapp, I'm wondering how efficient is "j_security_check" ?
>   Does it simply look at the session, or does it make a database call on
>   each and every request ?
> 
> 3. How do you specify a page for authenticated users who do not have
>   the correct permissions/roles ?  At the moment, I have this in web.xml,
> 
>
>FORM
>
>login.jsp
>login-error.jsp
> 
>
> 
>login.jsp is the form that shows when an authenticated user tries to 
> access the site.
>login-error.jsp is displayed when an incorrect username/password is 
> submitted.
> 
>However, when a correct username/password is submitted but the user 
> does not
>possess an adequate role, I see a default "You are not authorized" 
> message.
>How can I customize the page that is shown in such circumstances ?
> 
> 
> 4. Is there a formal method to logging out, rather than calling
>   invalidate() on the session ?
> 
> 5. If your webapp's authentication works fine on Tomcat, would it then
>   work on say BEAWeblogic or IBMWebsphere ?
> 

It should, but some of them claim to be servlet spec complaint and are 
not so you end up writing their support and asking for the complaince. 
(I find comerical support staffed by people who do not know servlet, so 
your job is realy hard)




> Sorry for so many questions but I can't find a comprehensive description
> of this anywhere. I've only found setup/configuration guides which deal
> with the simple issues.
> 
> Soefara.
> 
> _
> Send and receive Hotmail on your mobile device: http://mobile.msn.com
> 
> 
> -- 
> To unsubscribe, e-mail:   
> <mailto:[EMAIL PROTECTED]>
> For additional commands, e-mail: 
> <mailto:[EMAIL PROTECTED]>
> 


--
To unsubscribe, e-mail:   <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>

Re: More JDBCRealm Questions

[Craig R. McClanahan]

On Wed, 24 Jul 2002, Soefara Redzuan wrote:

> Date: Wed, 24 Jul 2002 14:39:35 +0800
> From: Soefara Redzuan <[EMAIL PROTECTED]>
> Reply-To: Tomcat Users List <[EMAIL PROTECTED]>
> To: [EMAIL PROTECTED]
> Subject: More JDBCRealm Questions
>
>
> I have set up a JDBCRealm and am using it with form-based login to
> secure/protect my webapp.  However, I have a few questions which I
> hope somebody could help me with,
>
> 1. The JDBCRealm is set up with the following in server.xml.
>
>   driverName="org.gjt.mm.mysql.Driver"
>  connectionURL="jdbc:mysql://localhost/authentication"
>  userTable="users" userNameCol="user_name" userCredCol="user_pass"
>  userRoleTable="user_roles" roleNameCol="role_name"/>
>
> However, I have noticed that this requires the password (stored in
> the user_pass column) to be clear text, which I really don't like doing.
> Is there any way to have store the passwords as hashes (ie. using the
> password() function in MySQL) ?
>

The database password isn't the only sensitive piece of information in
server.xml -- you should ensure that the server.xml file as a whole is not
accessible to any OS user other than the one running Tomcat.  In addition,
you can use security manager protections to prevent webapps from being
able to access it directly.

> 2. I read that "a call to j_security_check will be made by every attempt
>access your secured pages".  Since I am protecting every page in my
>webapp, I'm wondering how efficient is "j_security_check" ?
>Does it simply look at the session, or does it make a database call on
>each and every request ?
>

If you are using sessions, the user identity is cached the first time, so
the database will only get hit once.

> 3. How do you specify a page for authenticated users who do not have
>the correct permissions/roles ?  At the moment, I have this in web.xml,
>
> 
> FORM
> 
> login.jsp
>  login-error.jsp
>   
> 
>
> login.jsp is the form that shows when an authenticated user tries to
> access the site.
> login-error.jsp is displayed when an incorrect username/password is
> submitted.
>
> However, when a correct username/password is submitted but the user does
> not
> possess an adequate role, I see a default "You are not authorized"
> message.
> How can I customize the page that is shown in such circumstances ?
>

You can use an  element in your web.xml for the 403 status.

>
> 4. Is there a formal method to logging out, rather than calling
>invalidate() on the session ?
>

Not in Servlet 2.3.  Such things are under consideration for 2.4.  For
now, invalidating the session is the right way to do it (if you're using
form based login).

> 5. If your webapp's authentication works fine on Tomcat, would it then
>work on say BEAWeblogic or IBMWebsphere ?
>

As long as you are not relying on wierd container-specific behaviors and
using j_security_check the way it was intended to be used.

Note that the user database itself, and how you set it up, will be
specific for each app server (i.e. JDBCRealm is Tomcat specific).  But the
app won't have to change.

> Sorry for so many questions but I can't find a comprehensive description
> of this anywhere. I've only found setup/configuration guides which deal
> with the simple issues.
>
> Soefara.
>

Craig


--
To unsubscribe, e-mail:   
For additional commands, e-mail: 

Re: More JDBCRealm Questions

[Soefara Redzuan]

>From: "Craig R. McClanahan" <[EMAIL PROTECTED]>
> >
> > I have set up a JDBCRealm and am using it with form-based login to
> > secure/protect my webapp.  However, I have a few questions which I
> > hope somebody could help me with,
> >
> > 1. The JDBCRealm is set up with the following in server.xml.
> >
> >  >  driverName="org.gjt.mm.mysql.Driver"
> >  connectionURL="jdbc:mysql://localhost/authentication"
> >  userTable="users" userNameCol="user_name" userCredCol="user_pass"
> >  userRoleTable="user_roles" roleNameCol="role_name"/>
> >
> > However, I have noticed that this requires the password (stored in
> > the user_pass column) to be clear text, which I really don't like 
>doing.
> > Is there any way to have store the passwords as hashes (ie. using 
>the
> > password() function in MySQL) ?
> >
>
>The database password isn't the only sensitive piece of information in
>server.xml -- you should ensure that the server.xml file as a whole is not
>accessible to any OS user other than the one running Tomcat.  In addition,
>you can use security manager protections to prevent webapps from being
>able to access it directly.

Sorry, I was not very coherent in my explanation.
I was worried about storing users' passwords in clear text in the database.
Somebody else has kindly pointed out that JDBCRealm supports hashed 
passwords
in the user/password columns.


> > 2. I read that "a call to j_security_check will be made by every attempt
> >access your secured pages".  Since I am protecting every page in my
> >webapp, I'm wondering how efficient is "j_security_check" ?
> >Does it simply look at the session, or does it make a database call 
>on
> >each and every request ?
> >
>
>If you are using sessions, the user identity is cached the first time, so
>the database will only get hit once.

Excellent.


> > 3. How do you specify a page for authenticated users who do not have
> >the correct permissions/roles ?  At the moment, I have this in 
>web.xml,
> >
> > 
> > FORM
> > 
> > login.jsp
> >login-error.jsp
> > 
> > 
> >
> > login.jsp is the form that shows when an authenticated user tries to
> > access the site.
> > login-error.jsp is displayed when an incorrect username/password is
> > submitted.
> >
> > However, when a correct username/password is submitted but the user 
>does
> > not
> > possess an adequate role, I see a default "You are not authorized"
> > message.
> > How can I customize the page that is shown in such circumstances ?
> >
>
>You can use an  element in your web.xml for the 403 status.

Thank you. I was just checking that I hadn't missed something.
I had expected an equivalent to   which would allow
one to tailor the authorization-failure to the section of the webapp.


> > 4. Is there a formal method to logging out, rather than calling
> >invalidate() on the session ?
> >
>
>Not in Servlet 2.3.  Such things are under consideration for 2.4.  For
>now, invalidating the session is the right way to do it (if you're using
>form based login).
>
> > 5. If your webapp's authentication works fine on Tomcat, would it then
> >work on say BEAWeblogic or IBMWebsphere ?
> >
>
>As long as you are not relying on wierd container-specific behaviors and
>using j_security_check the way it was intended to be used.
>
>Note that the user database itself, and how you set it up, will be
>specific for each app server (i.e. JDBCRealm is Tomcat specific).  But the
>app won't have to change.

Thank you for the clarification, Craig.

Soefara.


_
Send and receive Hotmail on your mobile device: http://mobile.msn.com


--
To unsubscribe, e-mail:   
For additional commands, e-mail: