In this
post, I am going to explain how to secure your web applications using role-based
authentication.
Application layout
We are going
to develop following web application.
All the resources
(servlets, jsps, images etc.,) that start with secure are accessed to
authenticated users, and all the remaining resources are available to all
users.
Adding authentication details in web.xml
a. First we
need to specify authentication method. login-config, auth-method elements are
used to specify the authentication method.
<login-config>
<auth-method>BASIC</auth-method>
</login-config>
Above
settings specifies, application using BASIC authentication. Following table
explains type of authentication methods.
Setting
|
Meaning
|
BASIC
|
Application
uses basic authentication.
|
DIGEST
|
Application
uses digest authentication.
|
FORM
|
Application
uses custom form-based authentication.
|
CLIENT-CERT
|
Application
requires the client to supply its own HTTPS certificate for use with SSL.
|
b. Add roles
to web.xml file.
We need to
add roles in web.xml, roles specify what resources are accessed by users.
<security-role>
<role-name>admin</role-name>
</security-role>
Above
statement creates a role ‘admin’.
c. Add
access permission to resources
After
specifying roles, you need to provide access permissions.
<security-constraint> <web-resource-collection> <web-resource-name>management pages</web-resource-name> <url-pattern>/secure/*</url-pattern> </web-resource-collection> <auth-constraint> <role-name>admin</role-name> </auth-constraint> </security-constraint>
Above
snippet tells, all the resources that start with ‘secure’ are accessed to only
administrator.
Add users in tomcat-users.xml
This is the
last setting. We need to provide all admin user details in tomcat-users.xml
file.
<role
rolename="admin"/>
<user
username="krishna" password="krishna123"
roles="admin"/>
Above
statements create a role ‘admin’ and add user Krishna to the role admin.
With these
we are done with all configurations needed to protect a web application.
Whenever a user tries to access secure resource, browser prompt for credentials
like below.
Following is
the step-by-step procedure to develop complete working application in Eclipse.
Step 1: Create new dynamic web project ‘secure_app’ in
Eclipse.
File ->
New -> Dynamic web project.
Give project
Name as ‘secure_app’.
Press Next
Press Next
Press Next,
Select the check box ‘Generate web.xml deployment descriptor’, Press Finish.
Total
project structure looks like below.
Step 2: Create index.jsp file. Right click on the project
-> New -> JSP file.
index.jsp
<%@ page language="java" contentType="text/html; charset=UTF-8" pageEncoding="UTF-8"%> <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> <title>Insert title here</title> </head> <body> <h1>Welcome to demo application</h1> </body> </html>
Step 3: Create new folder ‘secure’ inside ‘WebContent’
folder. Create ‘secure1.jsp’ inside ‘secure’ foder.
secure1.jsp
<%@ page language="java" contentType="text/html; charset=UTF-8" pageEncoding="UTF-8"%> <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> <title>Insert title here</title> </head> <body> <h1>Secured resource 1</h1> </body> </html>
Step 4: Create new folder ‘public’, inside 'WebContent'
folder. Create ‘public1.jsp’ inside ‘public’ folder.
public1.jsp
<%@ page language="java" contentType="text/html; charset=UTF-8" pageEncoding="UTF-8"%> <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> <title>Insert title here</title> </head> <body> <h1>Accessed to all users</h1> </body> </html>
Step 5: Add authentication details to web.xml
web.xml
<?xml version="1.0" encoding="UTF-8"?> <web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://java.sun.com/xml/ns/javaee" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd" id="WebApp_ID" version="3.0"> <display-name>secure_app</display-name> <welcome-file-list> <welcome-file>index.html</welcome-file> <welcome-file>index.htm</welcome-file> <welcome-file>index.jsp</welcome-file> <welcome-file>default.html</welcome-file> <welcome-file>default.htm</welcome-file> <welcome-file>default.jsp</welcome-file> </welcome-file-list> <security-role> <role-name>admin</role-name> </security-role> <security-constraint> <web-resource-collection> <web-resource-name>management pages</web-resource-name> <url-pattern>/secure/*</url-pattern> </web-resource-collection> <auth-constraint> <role-name>admin</role-name> </auth-constraint> </security-constraint> <login-config> <auth-method>BASIC</auth-method> </login-config> </web-app>
Step 6: Add role and user details to ‘tomcat-users.xml’
file. ‘tomcat-users.xml’ file located under servers directory.
tomcat-users.xml
<?xml version="1.0" encoding="UTF-8"?> <!-- Licensed to the Apache Software Foundation (ASF) under one or more contributor license agreements. See the NOTICE file distributed with this work for additional information regarding copyright ownership. The ASF licenses this file to You under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. --><tomcat-users version="1.0" xmlns="http://tomcat.apache.org/xml" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://tomcat.apache.org/xml tomcat-users.xsd"> <!-- NOTE: By default, no user is included in the "manager-gui" role required to operate the "/manager/html" web application. If you wish to use this app, you must define such a user - the username and password are arbitrary. --> <!-- NOTE: The sample user and role entries below are wrapped in a comment and thus are ignored when reading this file. Do not forget to remove <!.. ..> that surrounds them. --> <!-- <role rolename="tomcat"/> <role rolename="role1"/> <user username="tomcat" password="tomcat" roles="tomcat"/> <user username="both" password="tomcat" roles="tomcat,role1"/> <user username="role1" password="tomcat" roles="role1"/> --> <role rolename="admin"/> <user username="krishna" password="krishna123" roles="admin"/> </tomcat-users>
Step 7: Run the application on server, hit following url,
it asks user credentials (If you enter username=Krishna, password=krishna123,
you will get access otherwise not).
References
No comments:
Post a Comment