1 / 14

Enhanced Security Models in TOMCAT for Access Control

Learn about Declarative and Programmatic Security models, Role-based Authorization, and Authentication Methods in TOMCAT for better access control. Understand configuration tips and user role management. Access helpful APIs and tutorials.

jchung
Download Presentation

Enhanced Security Models in TOMCAT for Access Control

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Access control 2/18/2009

  2. TOMCAT Security Model • Declarative Security: • the expression of application security external to the application, and it allows runtime configuration • Configure in web.xml • Programmatic Security: • implement fine-grained access control, enabling components to become security aware • Involves using HttpServletRequest API method

  3. Declarative Security • the expression of application security external to the application, and it allows runtime configuration • Configure in web.xml

  4. Role-based Authorization • Use role-based authorization to manage access • Define role in /conf/tomcat-user.xml <tomcat-users> <role rolename="tomcat"/> <role rolename="role1"/> <role rolename="user"/> <user username="tomcat" password="tomcat" roles="tomcat"/> <user username="role1" password="tomcat" roles="role1"/> <user username="both" password="tomcat" roles="tomcat,role1"/> <user username="jerry" password="jerry" roles="user"/> </tomcat-users> *Need to restart TOMCAT after reconfiguration.

  5. Role-based Authorization • Define security role in web.xml <security-role> <description>The role that is required to log in to the Manager Application </description> <role-name>user</role-name> </security-role> <security-constraint> <web-resource-collection> <url-pattern> /protected/* </url-pattern> </web-resource-collection> <auth-constraint> <role-name>user</role-name> </auth-constraint> </security-constraint>

  6. Authentication Method – 1: Basic • Usage: • Pop up a dialog box • Browser-based auth • User & Password are sent in every http request • Must exit the browser to logout • Not secure at all (no encryption) • Configuration in web.xml <login-config> <auth-method>BASIC</auth-method> <realm-name>Tomcat Manager Application</realm-name> </login-config>

  7. Authentication Method – 2: Digest • Usage: • Same as BASIC • Username and password are encrypted into a message digest value • Configuration in web.xml <login-config> <auth-method>DIGEST</auth-method> <realm-name>Tomcat Manager Application</realm-name> </login-config> Has to use a secure connection, such as SSL, etc

  8. Authentication Method – 3: Form • Usage: • Define your own login and error page • Authentication is defined in servlet session • Logout by session.invalidate() • Configuration in web.xml <login-config> <auth-method>FORM</auth-method> <form-login-config> <form-login-page>/protected/login.jsp</form-login-page> <form-error-page>/protected/error.jsp</form-error-page> </form-login-config> </login-config>

  9. Authentication Method – 3: Form • Must follow the rules • Use j_username field for the username • Use j_password field for the password • Submit to j_security_check • Login.jsp <form action='j_security_check' method='post'> Name:<input type='text' name='j_username'><br> Password:<input type='password' name='j_password' size='8'><br> <input type='submit' value='login'> </form> • Error.jsp <font size='4' color='red'> The username and password you supplied are not valid.</p> Click <a href='<%= response.encodeURL("login.jsp") %>'>here</a> to retry login

  10. Authentication Method – 4: Client • Usage • implemented with SSL and requires the client to possess a public key certificate • Most secure, but costly

  11. Programmatic Security • implement fine-grained access control, enabling components to become security aware • Involves using HttpServletRequest API method

  12. Access authentication info. • getRemoteUser() • getAuthType() • isUserInRole() • getUserPrincipal() • Principal is an alternated object to identify user • show_security.jsp User principal: <%= request.getUserPrincipal().getName() %>.<br/> User name: <%= request.getRemoteUser() %>.<br/> Request Authenticated with: <%= request.getAuthType() %>.<br/> <% if(request.isUserInRole("user")) { %> You are in <i>user</i> role<br/> <% } %>

  13. Use Role in Web App. Under Structs • Restricted access to Actions • <action path=“……"        type= …… name=……         scope="request"roles="administrator"></action> • In JSP • <logic:present role="administrator"/> ……</logic:present>

  14. Reference • Good security tutorial: http://www.informit.com/articles/article.aspx?p=24253 • Http servlet request APIs: http://www.caucho.com/resin-javadoc/javax/servlet/http/HttpServletRequest.html • http://www.java2s.com/Tutorial/Java/0400__Servlet/0440__Authentication.htm

More Related