Monday 28 September 2015

Setting role based security in tomcat

In this post, I am going to explain how to secure your web applications using role-based authentication.

Application layout
We are going to develop following web application.

All the resources (servlets, jsps, images etc.,) that start with secure are accessed to authenticated users, and all the remaining resources are available to all users.

Adding authentication details in web.xml
a. First we need to specify authentication method. login-config, auth-method elements are used to specify the authentication method.

<login-config>
         <auth-method>BASIC</auth-method>
</login-config>

Above settings specifies, application using BASIC authentication. Following table explains type of authentication methods.

Setting
Meaning
BASIC
Application uses basic authentication.
DIGEST
Application uses digest authentication.
FORM
Application uses custom form-based authentication.
CLIENT-CERT
Application requires the client to supply its own HTTPS certificate for use with SSL.

b. Add roles to web.xml file.
We need to add roles in web.xml, roles specify what resources are accessed by users.

<security-role>
         <role-name>admin</role-name>
</security-role>

Above statement creates a role ‘admin’.

c. Add access permission to resources

After specifying roles, you need to provide access permissions.
<security-constraint>
 <web-resource-collection>
  <web-resource-name>management pages</web-resource-name>
  <url-pattern>/secure/*</url-pattern>
 </web-resource-collection>
 <auth-constraint>
  <role-name>admin</role-name>
 </auth-constraint>
</security-constraint>

Above snippet tells, all the resources that start with ‘secure’ are accessed to only administrator.

Add users in tomcat-users.xml
This is the last setting. We need to provide all admin user details in tomcat-users.xml file.

<role rolename="admin"/>
<user username="krishna" password="krishna123" roles="admin"/>

Above statements create a role ‘admin’ and add user Krishna to the role admin.

With these we are done with all configurations needed to protect a web application. Whenever a user tries to access secure resource, browser prompt for credentials like below.
Following is the step-by-step procedure to develop complete working application in Eclipse.

Step 1: Create new dynamic web project ‘secure_app’ in Eclipse.
File -> New -> Dynamic web project.
Give project Name as ‘secure_app’.

Press Next

Press Next
Press Next, Select the check box ‘Generate web.xml deployment descriptor’, Press Finish.
Total project structure looks like below.
Step 2: Create index.jsp file. Right click on the project -> New -> JSP file.

index.jsp
<%@ page language="java" contentType="text/html; charset=UTF-8"
 pageEncoding="UTF-8"%>
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Insert title here</title>
</head>
<body>
 <h1>Welcome to demo application</h1>
</body>
</html>


Step 3: Create new folder ‘secure’ inside ‘WebContent’ folder. Create ‘secure1.jsp’ inside ‘secure’ foder.
secure1.jsp

<%@ page language="java" contentType="text/html; charset=UTF-8"
 pageEncoding="UTF-8"%>
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Insert title here</title>
</head>
<body>
 <h1>Secured resource 1</h1>
</body>
</html>


Step 4: Create new folder ‘public’, inside 'WebContent' folder. Create ‘public1.jsp’ inside ‘public’ folder.
public1.jsp

<%@ page language="java" contentType="text/html; charset=UTF-8"
 pageEncoding="UTF-8"%>
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Insert title here</title>
</head>
<body>
 <h1>Accessed to all users</h1>
</body>
</html>


Step 5: Add authentication details to web.xml
web.xml

<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
 xmlns="http://java.sun.com/xml/ns/javaee"
 xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
 id="WebApp_ID" version="3.0">
 <display-name>secure_app</display-name>
 <welcome-file-list>
  <welcome-file>index.html</welcome-file>
  <welcome-file>index.htm</welcome-file>
  <welcome-file>index.jsp</welcome-file>
  <welcome-file>default.html</welcome-file>
  <welcome-file>default.htm</welcome-file>
  <welcome-file>default.jsp</welcome-file>
 </welcome-file-list>

 <security-role>
  <role-name>admin</role-name>
 </security-role>

 <security-constraint>
  <web-resource-collection>
   <web-resource-name>management pages</web-resource-name>
   <url-pattern>/secure/*</url-pattern>
  </web-resource-collection>
  <auth-constraint>
   <role-name>admin</role-name>
  </auth-constraint>
 </security-constraint>

 <login-config>
  <auth-method>BASIC</auth-method>
 </login-config>
</web-app>
Step 6: Add role and user details to ‘tomcat-users.xml’ file. ‘tomcat-users.xml’ file located under servers directory.
tomcat-users.xml

<?xml version="1.0" encoding="UTF-8"?>
<!--
  Licensed to the Apache Software Foundation (ASF) under one or more
  contributor license agreements.  See the NOTICE file distributed with
  this work for additional information regarding copyright ownership.
  The ASF licenses this file to You under the Apache License, Version 2.0
  (the "License"); you may not use this file except in compliance with
  the License.  You may obtain a copy of the License at

      http://www.apache.org/licenses/LICENSE-2.0

  Unless required by applicable law or agreed to in writing, software
  distributed under the License is distributed on an "AS IS" BASIS,
  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  See the License for the specific language governing permissions and
  limitations under the License.
--><tomcat-users version="1.0" xmlns="http://tomcat.apache.org/xml" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://tomcat.apache.org/xml tomcat-users.xsd">
<!--
  NOTE:  By default, no user is included in the "manager-gui" role required
  to operate the "/manager/html" web application.  If you wish to use this app,
  you must define such a user - the username and password are arbitrary.
-->
<!--
  NOTE:  The sample user and role entries below are wrapped in a comment
  and thus are ignored when reading this file. Do not forget to remove
  <!.. ..> that surrounds them.
-->
<!--
  <role rolename="tomcat"/>
  <role rolename="role1"/>
  <user username="tomcat" password="tomcat" roles="tomcat"/>
  <user username="both" password="tomcat" roles="tomcat,role1"/>
  <user username="role1" password="tomcat" roles="role1"/>
-->
<role rolename="admin"/>
<user username="krishna" password="krishna123" roles="admin"/>

</tomcat-users>
Step 7: Run the application on server, hit following url, it asks user credentials (If you enter username=Krishna, password=krishna123, you will get access otherwise not).

http://localhost:8080/secure_app/secure/secure1.jsp



References
https://docs.oracle.com/html/E13977_01/websec.htm#BCGHBGGF

Previous                                                 Next                                                 Home
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)