You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by lightbulb432 <ve...@hotmail.com> on 2007/08/29 06:33:29 UTC
Authentication and authorization questions
I have several questions about authentication and authorization in Tomcat
below, so answer only what you can :) Thanks.
Where does Tomcat authentication fit into the request processing lifecycle?
Does it happen before even the very first filter gets called? What happens
just before and just after authentication?
Where does the role-based authorization fit into this process?
When you login using form-based authentication, where invalid login attempts
redirect to the "form-error-page", how do you add a custom message to that
page saying "Login Failed"? I ask because common practice is to send the
user to the same login page rather than a different page.
Is it configuration whether Tomcat uses redirects or forwards after
successful or unsuccessful attempts? What's the default for both?
How can you use JDBCRealm or DataSourceRealm with foreign keys from roles
table to user table, rather than requiring the roles table to duplicate
whatever field (e.g. username, email address) will actually be entered into
the login screen? I ask because using simple text-matching rather than using
the primary key of the user table seems a bit inefficient, but more
importantly it may be disallowed from data standards in some organizations.
Thanks.
--
View this message in context: http://www.nabble.com/Authentication-and-authorization-questions-tf4345698.html#a12380709
Sent from the Tomcat - User mailing list archive at Nabble.com.
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Authentication and authorization questions
Posted by Glenn McCall <gl...@gtajb.com>.
Below...
I hope it helps
Glenn Mc
----- Original Message -----
From: "lightbulb432" <ve...@hotmail.com>
To: <us...@tomcat.apache.org>
Sent: Wednesday, August 29, 2007 2:33 PM
Subject: Authentication and authorization questions
>
> I have several questions about authentication and authorization in Tomcat
> below, so answer only what you can :) Thanks.
>
> Where does Tomcat authentication fit into the request processing
> lifecycle?
> Does it happen before even the very first filter gets called? What happens
> just before and just after authentication?
>
> Where does the role-based authorization fit into this process?
>
> When you login using form-based authentication, where invalid login
> attempts
> redirect to the "form-error-page", how do you add a custom message to that
> page saying "Login Failed"? I ask because common practice is to send the
> user to the same login page rather than a different page.
These forms can be jsp's so I guess you can include whatever logic you like
in them. I haven't tried, but you could theoretically put something like a
retry count which forwards to a different failure page when the limit is
reached.
>
> Is it configuration whether Tomcat uses redirects or forwards after
> successful or unsuccessful attempts? What's the default for both?
>
> How can you use JDBCRealm or DataSourceRealm with foreign keys from roles
> table to user table, rather than requiring the roles table to duplicate
> whatever field (e.g. username, email address) will actually be entered
> into
> the login screen? I ask because using simple text-matching rather than
> using
> the primary key of the user table seems a bit inefficient, but more
> importantly it may be disallowed from data standards in some
> organizations.
I'm not sure what you are asking here. The JDBC realms assume the user ID is
a primary key (PK). This makes sense as a PK must be unique. Since user id's
should also be unique, you they would make sense as a natural primary key.
I'm not sure I understand what the problem is that you are trying to solve
here. If you are concerned about join performance to the roles table on a
varchar, I don't think that that would be your major concern. First off most
databases hash data values to a code (typically a 32, 64, 128 bit value or
even larger) that is used to locate records on disk. So if you define a
secondary index on the roles table access to it via the SI should be fairly
efficient via the user ID irrespecitive of its data type. Second of all the
database interactions you are going to perform, how many are going to be
logons? I suspect that the rest of your application would put more of a load
on the database than the query that determines the roles the user ID is
associated with. Third consider I/O performance (i.e. reading a data block
from disk) to the time it is going to take to compare a 64 character value.
I suspect that most modern processors would be able to perform billions of
such comparisons in the time it takes to read one data block!
It sounds like you are looking for a surrogate key (i.e. another value -
presumably system generated - to act as a substitute for the user id). If
you did this, I doubt you would be saving anything as you would still
require the database to retrieve user details by the id entered by the user.
So I can't see how you will be saving anything.
So once again, I tried to imagine what your concern is, but just can't pick
it!
Still if you wished to pursue this course of action I think you have two
options.
1) Hide the surrogate relationships behind views and/or
B) develop your own authentication scheme via JAAS.
There is of course a third option:
#) Just go with the flow a.k.a. if it aint broke, don't try to fix it :-)
>
> Thanks.
> --
> View this message in context:
> http://www.nabble.com/Authentication-and-authorization-questions-tf4345698.html#a12380709
> Sent from the Tomcat - User mailing list archive at Nabble.com.
>
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Authentication and authorization questions
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Jean,
jmuller wrote:
> I've written my own DataSourceRealm that overwrite Tomcat's one, and put the
> jar in server/lib.
> It only overwrites the getRoles() method to change the SQL statement. See
> source here: http://www.nabble.com/file/p12820411/DataSourceRealm.java
> DataSourceRealm.java (free to use/modify/comment) !
I do have one comment:
> finally {
> try {
> if (rs != null) {
> rs.close();
> }
> if (stmt != null) {
> stmt.close();
> }
> } catch (SQLException e) {
> containerLog.error(
> sm.getString("dataSourceRealm.getRoles.exception",
> username));
> }
> }
>
I could use separate try/catch blocks for each close() call... you
wouldn't want the ResultSet.close call to fail and then never call
Statement.close().
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFG8/6i9CaO5/Lv0PARAgTPAJ9se1N5+CdC42qnfgEYzJHDj1EAPACgn9uO
1Kuy4n+S/wTnDppdyE3bMKQ=
=53g3
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Authentication and authorization questions
Posted by jmuller <je...@gmail.com>.
I talk about hibernate because of the model, not hibernate. My problem was
the use of userName as the foreign key in role table : my (generated
standard) model is made with 3 tables and ids as foreign keys, which is not
compatible with DataSourceRealm 2 tables model.
mgainty wrote:
>
> possible OpenSessionInViewFilter problem
> which version hibernate are you implementing with?
>
> M--
> ----- Original Message -----
> From: "jmuller" <je...@gmail.com>
> To: <us...@tomcat.apache.org>
> Sent: Friday, September 21, 2007 9:14 AM
> Subject: Re: Authentication and authorization questions
>
>
>>
>>
>> Christopher Schultz-2 wrote:
>> >
>> > -----BEGIN PGP SIGNED MESSAGE-----
>> > ...
>> >> How can you use JDBCRealm or DataSourceRealm with [numeric] foreign
> keys
>> >> from roles
>> >> table to user table, rather than requiring the roles table to
>> duplicate
>> >> whatever field (e.g. username, email address) will actually be entered
>> >> into
>> >> the login screen?
>> >
>> > You can't. You'd have to write your own Realm implementation.
>> >
>> >> I ask because using simple text-matching rather than using
>> >> the primary key of the user table seems a bit inefficient
>> >
>> > Are you sure about that? You might want to do a performance test on
>> your
>> > database. You're likely to find that string matching is /very/ fast,
>> > especially if you have the columns indexed (and you really should).
>> >
>> >> but more
>> >> importantly it may be disallowed from data standards in some
>> >> organizations.
>> > ...
>> >
>>
>> Hello,
>> I've got the same problem of a foreign key with 3 tables (generated by
>> hibernate) for user and roles:
>> - one UserTable with id, name and password,
>> - one RoleTable with id and name
>> - one RelationTable with userId and roleId
>>
>> I've written my own DataSourceRealm that overwrite Tomcat's one, and put
> the
>> jar in server/lib.
>> It only overwrites the getRoles() method to change the SQL statement. See
>> source here: http://www.nabble.com/file/p12820411/DataSourceRealm.java
>> DataSourceRealm.java (free to use/modify/comment) !
>> --
>> View this message in context:
> http://www.nabble.com/Authentication-and-authorization-questions-tf4345698.h
> tml#a12820411
>> Sent from the Tomcat - User mailing list archive at Nabble.com.
>>
>>
>> ---------------------------------------------------------------------
>> To start a new topic, e-mail: users@tomcat.apache.org
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>
>
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
>
--
View this message in context: http://www.nabble.com/Authentication-and-authorization-questions-tf4345698.html#a12824172
Sent from the Tomcat - User mailing list archive at Nabble.com.
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Authentication and authorization questions
Posted by jmuller <je...@gmail.com>.
Christopher Schultz-2 wrote:
>
> -----BEGIN PGP SIGNED MESSAGE-----
> ...
>> How can you use JDBCRealm or DataSourceRealm with [numeric] foreign keys
>> from roles
>> table to user table, rather than requiring the roles table to duplicate
>> whatever field (e.g. username, email address) will actually be entered
>> into
>> the login screen?
>
> You can't. You'd have to write your own Realm implementation.
>
>> I ask because using simple text-matching rather than using
>> the primary key of the user table seems a bit inefficient
>
> Are you sure about that? You might want to do a performance test on your
> database. You're likely to find that string matching is /very/ fast,
> especially if you have the columns indexed (and you really should).
>
>> but more
>> importantly it may be disallowed from data standards in some
>> organizations.
> ...
>
Hello,
I've got the same problem of a foreign key with 3 tables (generated by
hibernate) for user and roles:
- one UserTable with id, name and password,
- one RoleTable with id and name
- one RelationTable with userId and roleId
I've written my own DataSourceRealm that overwrite Tomcat's one, and put the
jar in server/lib.
It only overwrites the getRoles() method to change the SQL statement. See
source here: http://www.nabble.com/file/p12820411/DataSourceRealm.java
DataSourceRealm.java (free to use/modify/comment) !
--
View this message in context: http://www.nabble.com/Authentication-and-authorization-questions-tf4345698.html#a12820411
Sent from the Tomcat - User mailing list archive at Nabble.com.
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Authentication and authorization questions
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Lb,
lightbulb432 wrote:
> But if the login and login-error pages are the same page (meaning
> that when someone fails an access check they get redirected to the
> login-error page, which is actually the login page where they must
> re-enter their credentials) how could you put information into the
> request or session scope to be accessed by the page?
You would have to do it manually. I dunno... count the number of times
the page is displayed with no credentials? It's not a graceful thing to
do by any means. What we do is have two separate pages: the login page,
and the login error page which basically says "error=true; forward to
login-page;". Then the login page looks for the "error" flag. You need
two pages for this, though.
I haven't tried it, but you might be able to make the login-error page
something like "login.jsp?failed=true". That might work.
> In fact, how could I add all sorts of state to the request so that
> the message could read "Login failed for page ${failedPageName}" or
> some other parameterized text?
You don't have access to the saved request or anything like that. You
might be able to hunt around for it, but there would be no guarantee
that it would work across Tomcat versions, since it's not standard.
> I agree completely. I've been having a lot of problems with Tomcat
> authentication and authorization, and would like to use a custom
> solution.
I don't really see any problems... mainly shortcomings.
> The only thing that deters me, and which applies to securityfilter as
> well, is the lack of SSO across contexts.
Yup; securityfilter doesn't do SSO. But, you could potentially write
your own securityfilter-friendly SSO valve. Just look at the existing
SSO Valve and you might be inspired.
> The securityfilter projects says they're looking into SSO, but the
> project looks inactive enough that I'm not going to hold my breath.
securityfilter is all but dead AFAICT. Fortunately, it's pretty much got
everything it needs right now. If you submit a patch or an idea, the
maintainer will probably put it in; he's just not particularly motivated
to add stuff to it right now.
> I tried looking for other Java servlet security products or projects,
> but nothing really came up.
I think that's because most people are scared of "security" projects ant
tend to rely on the container for the whole shebang. I think that's a
reasonable stance. On the other hand, securityfilter already exists...
why reinvent it? ;)
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFG1sTY9CaO5/Lv0PARAuFvAKCjMHDl5w3y3+6d70BcEiHYa8dLYQCdF5y9
Fs4N8yXfwJFjiQ5c3cJs3jg=
=UKcc
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Authentication and authorization questions
Posted by lightbulb432 <ve...@hotmail.com>.
Great response. Follow-up questions below:
Christopher Schultz-2 wrote:
> When you login using form-based authentication, where invalid login
> attempts
>> redirect to the "form-error-page", how do you add a custom message to
>> that
>> page saying "Login Failed"? I ask because common practice is to send the
>> user to the same login page rather than a different page.
>
> You can do whatever you want, since you get to control the pages for
> login and login-error.
But if the login and login-error pages are the same page (meaning that when
someone fails an access check they get redirected to the login-error page,
which is actually the login page where they must re-enter their credentials)
how could you put information into the request or session scope to be
accessed by the page?
In my login/login-error page, I could have a ${loginFailedMessage} printed
in bold, red text, but where would I set this text in the first place for a
generic message like "Login failed"? The loginFailedMessage variable
wouldn't be set when the login page is accessed through a GET, but would be
when forwarded/redirected to by Tomcat upon login failure.
In fact, how could I add all sorts of state to the request so that the
message could read "Login failed for page ${failedPageName}" or some other
parameterized text?
In fact, I don't much care for the TC implementation of the whole
> authentication thing anyway, so I have opted to dump it and use
> securityfilter instead. Primarily, it allows me to do direct logins
> (submit to j_security_check even when no protected resource has been
> requested), and I can write my own authenticator that isn't tied to
> Tomcat's implementation in any way. That allows me to switch TC versions
> or to another vendor entirely without changing a single thing in my
> implementation. But that's just me.
I agree completely. I've been having a lot of problems with Tomcat
authentication and authorization, and would like to use a custom solution.
The only thing that deters me, and which applies to securityfilter as well,
is the lack of SSO across contexts. Although I don't see an immediate need
for SSO across contexts, I wouldn't want to have to rewrite an entire
security architecture if the need arises. (And it may well arise if you
decide to split up a large website's modules into different contexts.)
The securityfilter projects says they're looking into SSO, but the project
looks inactive enough that I'm not going to hold my breath. I tried looking
for other Java servlet security products or projects, but nothing really
came up.
Any thoughts on this all?
--
View this message in context: http://www.nabble.com/Authentication-and-authorization-questions-tf4345698.html#a12398683
Sent from the Tomcat - User mailing list archive at Nabble.com.
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Authentication and authorization questions
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Lb,
lightbulb432 wrote:
> Where does Tomcat authentication fit into the request processing lifecycle?
> Does it happen before even the very first filter gets called?
Yes. It's implemented as a Valve that runs before any of your code gets
a chance to run.
> What happens just before and just after authentication?
??
When a request comes in, Tomcat checks to see if the resource is
protected (by a <security-constraint> in web.xml). If it is, Tomcat
checks to see if there's a Principal associated with the request
(session, I'm guessing).
If there's no Principal, the current request is saved and the user is
redirected to the <form-login-page>. The login page should submit to
j_security_check with the j_username and j_password request parameters.
Once the user is authenticated, Tomcat attempts to re-run the saved
request, and the process starts over again.
If there /is/ a Principal, it checks to see if any of the required role
names for the resource are held by the Principal. If none of the roles
match, you get a 403 error. If there is a role match, the request
continues normally.
> Where does the role-based authorization fit into this process?
See above.
> When you login using form-based authentication, where invalid login attempts
> redirect to the "form-error-page", how do you add a custom message to that
> page saying "Login Failed"? I ask because common practice is to send the
> user to the same login page rather than a different page.
You can do whatever you want, since you get to control the pages for
login and login-error.
> Is it configuration whether Tomcat uses redirects or forwards after
> successful or unsuccessful attempts? What's the default for both?
There is no configuration for this. Some versions forward, others do
not. There is no default because it's not in the specification.
> How can you use JDBCRealm or DataSourceRealm with [numeric] foreign keys from roles
> table to user table, rather than requiring the roles table to duplicate
> whatever field (e.g. username, email address) will actually be entered into
> the login screen?
You can't. You'd have to write your own Realm implementation.
> I ask because using simple text-matching rather than using
> the primary key of the user table seems a bit inefficient
Are you sure about that? You might want to do a performance test on your
database. You're likely to find that string matching is /very/ fast,
especially if you have the columns indexed (and you really should).
> but more
> importantly it may be disallowed from data standards in some organizations.
I think the most important thing is data duplication. Why should I have
to put the user's username into the user_role table multiple times? It
seems silly, but honestly, it's the simplest thing that could possibly
work, which is exactly what the TC devs should have done.
If you don't like the implementation, write your own.
In fact, I don't much care for the TC implementation of the whole
authentication thing anyway, so I have opted to dump it and use
securityfilter instead. Primarily, it allows me to do direct logins
(submit to j_security_check even when no protected resource has been
requested), and I can write my own authenticator that isn't tied to
Tomcat's implementation in any way. That allows me to switch TC versions
or to another vendor entirely without changing a single thing in my
implementation. But that's just me.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFG1Ynf9CaO5/Lv0PARAotKAJ9T2XsOyyN2I8M97NOIqE5PuSPxCgCeKa7S
5NTEizEofO5a7N3wI4scCBk=
=TAw5
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org