11 Replies Latest reply on Feb 27, 2003 4:38 AM by Mick Knutson

    Security with servlet web app and programmatically adding ne

    andyj Newbie

      Hi,

      I am writing a shop type web-app, and want to implement security, preferably in a J2EE engine-independent way. I understand the basics of J2EE authentication, but based on what is in the J2EE spec, can't see how it fulfils what I want.

      In my app I want users to be able to register, which then programmatically sets up a login to the system. I would like this login to be a J2EE login, and so I can give certain J2EE roles to the user, and benefit from J2EE's security features (protecting Http methods etc using a J2EE role). In the JBoss examples download there are no examples of security, so am stuck on how I would attempt anything with JBoss (I have found the login-config.xml file etc, but am not clear on how this relates to what goes in the web.xml file). In my app I would like to use a FORM based authentication display. I can set up my own FORM with the j_login, j_password fields, but am unclear on how

      a). I can create a J2EE login programmatically.
      b). Assign roles programmatically to a J2EE login.

      I thought of having a CMP "User" entity bean, but don't know if I can map this to the users that J2EE uses.

      Any help would be appreciated, and any pointers to examples on the web ?

      Thanks in advance.

        • 1. Re: Security with servlet web app and programmatically addin
          andyj Newbie

          As I see it there are 2 alternatives for my app.

          a). There is an API to allow me to provide an authenticator myself, and I have J2EE users like "administrator", "customer", etc for the shop, and each of these users have J2EE roles. With this route, I do not need to create users programmatically in the J2EE system. When a user says "Register", I just create a user in my own DB table. What I DO need to do however is tell the J2EE system that this session is for J2EE user 'customer' say. How would i do this ? I need to be able to prevent unauthorised access to servlet methods as well as beans.

          b). I programmatically create users in the J2EE system. With this route, a user has his/her own user record in the J2EE system, and with the necessary roles for that. I would need to programmatically create users and roles in the J2EE system. Is this possible ?

          c). I ignore J2EE's security facilities and implement my own, which would be guaranteed J2EE engine independent. It would seem a shame to go this route, since the whole point of defining a framework like J2EE is to minimise the amount of extra "routine" code that developers write.


          • 2. Re: Security with servlet web app and programmatically addin
            James Moring Newbie

            Option B is the way to go. Setup a security domain in login-config.xml. Use the DatabaseServerLoginModule or write your own custom module that gets credentials and roles from a database. Allow the new user to register themselves which results in the a new user and the appropiate roles being saved to the database and hence available to the login module that you setup.

            HTH

            • 3. Re: Security with servlet web app and programmatically addin
              andyj Newbie

              Thx. I've implemented the DatabaseServerLoginModule approach now, and works fine. Would be nice to have an example of this in the JBoss "getting started" examples.

              • 4. Re: Security with servlet web app and programmatically addin
                Donald Newbie

                I have a question. How did you set this up? any examples. I ask since I have a similar situation.

                I have code that will enter the user into the database with the role/id/password. Next I need to let the system know the user just registered and not to throw the user to a login screen. How did you implement this piece? If you did it in the login module can you explain the process and or examples? I am not sure what piecews of JBOSS I need to call to force this login after a registration.

                Thanks
                Donald@maclarens.net

                • 5. Re: Security with servlet web app and programmatically addin
                  Donald Newbie

                  As I have the same issue, this has not answered the question of how to log the user in after the user is added to the tables? How do we programmatically log into the Jboss container? With the J2EE approach, we need to get a handle into JAAS.
                  Does Jboss supply a class to do this?
                  Do we implement JAAS ourselves?
                  Are there JBOSS interfaces we need for this?

                  Any help is welcomed. Is this clear?

                  • 6. Re: Security with servlet web app and programmatically addin
                    L.G. Newbie

                    1.Create jsp Page with username and password textboxes. Let's call it index.jsp. After user fill info submit this page to itself (form action = 'index.jsp')
                    Before submitting set some value in hidden field to indicatate that this is not init load of the page.
                    2.Submit index.jsp and get parameters for username and password and set them as session attributes (session.setAttribute("username", request.getParameter("user_name")) etc.
                    Redirect page to protected location.
                    This is index.jsp:
                    ---------------------------------------------------
                    <%@page contentType="text/html" session="true"%>
                    <%@taglib uri="/WEB-INF/tld/c.tld" prefix="c"%>

                    <c:if test="${!empty param.actionCode}">
                    <c:set var="username" scope="session" value="${param.j_username}" />
                    <c:set var="password" scope="session" value="${param.j_password}" />
                    <c:redirect url="/protected/menu.jsp"/>
                    </c:if>

                    <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">


                    Screen Them


                    function ltrim ( str ) {
                    var len = str.length;
                    var i;
                    var temp;
                    for(i = 0; i <= len; i++) {
                    temp = str.charAt(i);
                    if (temp == ' ') {
                    } else {
                    str = str.substring( i, len );
                    return str;
                    }
                    }
                    return str;
                    }

                    function rtrim ( str ) {
                    var len = str.length;
                    var i = 0;
                    var temp;
                    for(i = (len - 1); i >= 0; i--) {
                    temp = str.charAt(i);
                    if (temp == ' ') {
                    } else {
                    str = str.substring( 0, (i + 1));
                    return str;
                    }
                    }
                    str = '';
                    return str;
                    }

                    function trim( str ) {
                    var temp;
                    var ret;
                    temp = ltrim( str );
                    ret = rtrim( temp );
                    return ret;
                    }

                    function setFocus(){
                    document.forms[0].j_username.focus();
                    }

                    function resetForm(){
                    document.forms[0].j_username.value = '';
                    document.forms[0].j_password.value = '';
                    setFocus();
                    }

                    function submitForm(){
                    document.forms[0].actionCode.value="1"
                    var parm1 = document.forms[0].j_username.value;
                    var parm2 = document.forms[0].j_password.value;
                    if (parm1 == null || (trim(parm1) == '')){
                    alert('User Name cannot be empty');
                    document.forms[0].j_username.select();
                    document.forms[0].j_username.focus();
                    return false;
                    }
                    if (parm2 == null || (trim(parm2) == '')){
                    alert('Password cannot be empty');
                    document.forms[0].j_password.focus();
                    document.forms[0].j_password.select();
                    return false;
                    }
                    return true;
                    }







                    <h1 align='left'>Blah-blah</h1>

                    <!--form start-->
                    <c:url value="index.jsp" var="pageAction"/>
                    <form name='indexForm' method='post' action='<c:out value="${pageAction}"/>' onsubmit='return submitForm()'>



                    <td class='label2' nowrap>E-mail:<input type='text' name='j_username' class='textBox3' value='<c:out value="${sessionScope.username}"/>'>



                    <td class='label2' nowrap>Password:







                    <!--form end-->






                    <td nowrap><h3>Blah-blah</h3>



                    Blah-blah



                    <c:url value="NewMember.jsp?actionCode=create" var="nextPage"/>
                    <a href='<c:out value="${nextPage}"/>'>Become a Member






                    This is Login.jsp:
                    ---------------------------------
                    <%@page contentType="text/html" session="true"%>
                    <%
                    String username = (String) session.getAttribute("username");
                    if (username == null) username = "";
                    String password = (String) session.getAttribute("password");
                    if (password == null) password = "";
                    %>




                    <form action='<%=response.encodeURL("j_security_check")%>' method='post' name='logF'>





                    -------------------------------------

                    It's NOT very elegant solution but it will solve your problem.

                    • 7. Re: Security with servlet web app and programmatically addin
                      Donald Newbie

                      I guess I fail to see how that will work. I am not sure what your tag lib does. I should be able to pass the user/pass to the container for it to use when the protected page is called or use a class to actually do the authentication real time once I make the DB calls in the bean. I do not want to make the Auth. in the bean but outside the EJB in the class that made the call to the EJB. The class that calls the EJB was called from a servlet so I have servlet context if needed.

                      I am using jboss 3.0.x_tomcat4.0

                      I do not think that I have to do anything specific to the tomcat config either. The approach that you are using in the JSP is not a sound way for a production environment though.

                      • 8. Re: Security with servlet web app and programmatically addin
                        kenkyee Newbie

                        > It's NOT very elegant solution but it will solve your problem.

                        No it won't. That solution only works for the simplest JSP apps...not EJB/JSP apps.

                        I'm interested in the real solution to this as well. I'm surprised the JBoss coders don't monitor this. This info is needed to implement any sort of automatic login solution (the checkbox you see on so many sites that lets you automatically login to a site for a while after you log in once).

                        • 9. That doesn't work for EJB/JSP apps
                          kenkyee Newbie

                          > It's NOT very elegant solution but it will solve your problem.

                          No it won't. That solution only works for the simplest JSP apps...not EJB/JSP apps.

                          I'm interested in the real solution to this as well. I'm surprised the JBoss coders don't monitor this. This info is needed to implement any sort of automatic login solution (the checkbox you see on so many sites that lets you automatically login to a site for a while after you log in once).

                          • 10. That doesn't work for EJB/JSP apps
                            kenkyee Newbie

                            > It's NOT very elegant solution but it will solve your problem.

                            No it won't. That solution only works for the simplest JSP apps...not EJB/JSP apps.

                            I'm interested in the real solution to this as well. I'm surprised the JBoss coders don't monitor this. This info is needed to implement any sort of automatic login solution (the checkbox you see on so many sites that lets you automatically login to a site for a while after you log in once).

                            • 11. Re: That doesn't work for EJB/JSP apps
                              Mick Knutson Newbie

                              I agree. This does not solve the issue.
                              I actually set up a realm with the DB Login. I get a principal on the first request to a secured page, but then the Principal is lost.

                              So I have 2 issues:
                              1. The Principal needs to live for the entire session, not just a request. How do I get that to work with the DB Login?

                              2. I have Roles, as well as User Profile bits like Prefered locale, prefered currrency, etc. etc.
                              I have a UserView Object for the user, and can put it into the session just fine and get access to it. The issue is, How do I tie my UserView together with my Principal and continue to leverage the JAAS?

                              Just to walk through this to clarify:

                              * User bookmarks a protected page.
                              * login page is displayed as per the security declaration.
                              * My SecurityFilter looks for UserView in Session. If it does not exist, it gets it from the EJB layer and adds it to Session as well as adding the Principal to session.
                              * Protected page is shown.
                              * Protected Page is submitted, but Principal is null, so the "Guest" Principal is used......

                              So I am wanting to tie these 2 things together is a maintenace concious way, but also leveraging JAAS and EJB.


                              Help would be greatly appreciated.