Re: More JDBCRealm Questions
Subject: Re: More JDBCRealm Questions From: Vic C. [EMAIL PROTECTED] === Soefara Redzuan wrote: I have set up a JDBCRealm and am using it with form-based login to secure/protect my webapp. However, I have a few questions which I hope somebody could help me with, 1. The JDBCRealm is set up with the following in server.xml. Realm className=org.apache.catalina.realm.JDBCRealm debug=99 driverName=org.gjt.mm.mysql.Driver connectionURL=jdbc:mysql://localhost/authentication userTable=users userNameCol=user_name userCredCol=user_pass userRoleTable=user_roles roleNameCol=role_name/ However, I have noticed that this requires the password (stored in the user_pass column) to be clear text, which I really don't like doing. Is there any way to have store the passwords as hashes (ie. using the password() function in MySQL) ? http://jakarta.apache.org/tomcat/tomcat-4.1-doc/realm-howto.html#JDBCRealm plus ssl should work 2. I read that a call to j_security_check will be made by every attempt access your secured pages. Since I am protecting every page in my webapp, I'm wondering how efficient is j_security_check ? Does it simply look at the session, or does it make a database call on each and every request ? 3. How do you specify a page for authenticated users who do not have the correct permissions/roles ? At the moment, I have this in web.xml, login-config auth-methodFORM/auth-method form-login-config form-login-pagelogin.jsp/form-login-page form-error-pagelogin-error.jsp/form-error-page /form-login-config /login-config login.jsp is the form that shows when an authenticated user tries to access the site. login-error.jsp is displayed when an incorrect username/password is submitted. However, when a correct username/password is submitted but the user does not possess an adequate role, I see a default You are not authorized message. How can I customize the page that is shown in such circumstances ? 4. Is there a formal method to logging out, rather than calling invalidate() on the session ? 5. If your webapp's authentication works fine on Tomcat, would it then work on say BEAWeblogic or IBMWebsphere ? It should, but some of them claim to be servlet spec complaint and are not so you end up writing their support and asking for the complaince. (I find comerical support staffed by people who do not know servlet, so your job is realy hard) Sorry for so many questions but I can't find a comprehensive description of this anywhere. I've only found setup/configuration guides which deal with the simple issues. Soefara. _ Send and receive Hotmail on your mobile device: http://mobile.msn.com -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: More JDBCRealm Questions
On Wed, 24 Jul 2002, Soefara Redzuan wrote: Date: Wed, 24 Jul 2002 14:39:35 +0800 From: Soefara Redzuan [EMAIL PROTECTED] Reply-To: Tomcat Users List [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: More JDBCRealm Questions I have set up a JDBCRealm and am using it with form-based login to secure/protect my webapp. However, I have a few questions which I hope somebody could help me with, 1. The JDBCRealm is set up with the following in server.xml. Realm className=org.apache.catalina.realm.JDBCRealm debug=99 driverName=org.gjt.mm.mysql.Driver connectionURL=jdbc:mysql://localhost/authentication userTable=users userNameCol=user_name userCredCol=user_pass userRoleTable=user_roles roleNameCol=role_name/ However, I have noticed that this requires the password (stored in the user_pass column) to be clear text, which I really don't like doing. Is there any way to have store the passwords as hashes (ie. using the password() function in MySQL) ? The database password isn't the only sensitive piece of information in server.xml -- you should ensure that the server.xml file as a whole is not accessible to any OS user other than the one running Tomcat. In addition, you can use security manager protections to prevent webapps from being able to access it directly. 2. I read that a call to j_security_check will be made by every attempt access your secured pages. Since I am protecting every page in my webapp, I'm wondering how efficient is j_security_check ? Does it simply look at the session, or does it make a database call on each and every request ? If you are using sessions, the user identity is cached the first time, so the database will only get hit once. 3. How do you specify a page for authenticated users who do not have the correct permissions/roles ? At the moment, I have this in web.xml, login-config auth-methodFORM/auth-method form-login-config form-login-pagelogin.jsp/form-login-page form-error-pagelogin-error.jsp/form-error-page /form-login-config /login-config login.jsp is the form that shows when an authenticated user tries to access the site. login-error.jsp is displayed when an incorrect username/password is submitted. However, when a correct username/password is submitted but the user does not possess an adequate role, I see a default You are not authorized message. How can I customize the page that is shown in such circumstances ? You can use an error-page element in your web.xml for the 403 status. 4. Is there a formal method to logging out, rather than calling invalidate() on the session ? Not in Servlet 2.3. Such things are under consideration for 2.4. For now, invalidating the session is the right way to do it (if you're using form based login). 5. If your webapp's authentication works fine on Tomcat, would it then work on say BEAWeblogic or IBMWebsphere ? As long as you are not relying on wierd container-specific behaviors and using j_security_check the way it was intended to be used. Note that the user database itself, and how you set it up, will be specific for each app server (i.e. JDBCRealm is Tomcat specific). But the app won't have to change. Sorry for so many questions but I can't find a comprehensive description of this anywhere. I've only found setup/configuration guides which deal with the simple issues. Soefara. Craig -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: More JDBCRealm Questions
From: Craig R. McClanahan [EMAIL PROTECTED] I have set up a JDBCRealm and am using it with form-based login to secure/protect my webapp. However, I have a few questions which I hope somebody could help me with, 1. The JDBCRealm is set up with the following in server.xml. Realm className=org.apache.catalina.realm.JDBCRealm debug=99 driverName=org.gjt.mm.mysql.Driver connectionURL=jdbc:mysql://localhost/authentication userTable=users userNameCol=user_name userCredCol=user_pass userRoleTable=user_roles roleNameCol=role_name/ However, I have noticed that this requires the password (stored in the user_pass column) to be clear text, which I really don't like doing. Is there any way to have store the passwords as hashes (ie. using the password() function in MySQL) ? The database password isn't the only sensitive piece of information in server.xml -- you should ensure that the server.xml file as a whole is not accessible to any OS user other than the one running Tomcat. In addition, you can use security manager protections to prevent webapps from being able to access it directly. Sorry, I was not very coherent in my explanation. I was worried about storing users' passwords in clear text in the database. Somebody else has kindly pointed out that JDBCRealm supports hashed passwords in the user/password columns. 2. I read that a call to j_security_check will be made by every attempt access your secured pages. Since I am protecting every page in my webapp, I'm wondering how efficient is j_security_check ? Does it simply look at the session, or does it make a database call on each and every request ? If you are using sessions, the user identity is cached the first time, so the database will only get hit once. Excellent. 3. How do you specify a page for authenticated users who do not have the correct permissions/roles ? At the moment, I have this in web.xml, login-config auth-methodFORM/auth-method form-login-config form-login-pagelogin.jsp/form-login-page form-error-pagelogin-error.jsp/form-error-page /form-login-config /login-config login.jsp is the form that shows when an authenticated user tries to access the site. login-error.jsp is displayed when an incorrect username/password is submitted. However, when a correct username/password is submitted but the user does not possess an adequate role, I see a default You are not authorized message. How can I customize the page that is shown in such circumstances ? You can use an error-page element in your web.xml for the 403 status. Thank you. I was just checking that I hadn't missed something. I had expected an equivalent to form-error-page which would allow one to tailor the authorization-failure to the section of the webapp. 4. Is there a formal method to logging out, rather than calling invalidate() on the session ? Not in Servlet 2.3. Such things are under consideration for 2.4. For now, invalidating the session is the right way to do it (if you're using form based login). 5. If your webapp's authentication works fine on Tomcat, would it then work on say BEAWeblogic or IBMWebsphere ? As long as you are not relying on wierd container-specific behaviors and using j_security_check the way it was intended to be used. Note that the user database itself, and how you set it up, will be specific for each app server (i.e. JDBCRealm is Tomcat specific). But the app won't have to change. Thank you for the clarification, Craig. Soefara. _ Send and receive Hotmail on your mobile device: http://mobile.msn.com -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]