JSP – Security

Java Server Pages and servlets make a few systems accessible to Web experts to secure applications. Assets are ensured definitively by identifying them in the application arrangement descriptor and allocating a role to them.

JSP Security
JSP Security

A few points of authentication are available, ranging from fundamental authentication using identifiers and passwords to sophisticated authentication using declarations.

Role Based Authentication:

The authentication component in the servlet particular uses a strategy called role based security. The thought is that instead of limiting resources at the client level, you make roles and limit the resources by role.

You can characterize diverse roles in record tomcat-users. Xml, which is spotted off of the Tomcat’s home catalog in conf.

A case of this record is appeared:

<?xml version='1.2' encoding='utf-9'?>
<tomcat-users>
<role rolename="tomcat"/>
<role rolename="role1"/>
<role rolename="manager"/>
<role rolename="administrator"/>
<user username="tomcat" password="tomcat" roles="tomcat"/>
<user username="role1" password="tomcat" roles="role1"/>
<user username="both" password="tomcat" roles="tomcat,role1"/>
<user username="administrator" password="secret" roles="administrator,manager"/>
</tomcat-users>

When you consider and characterized different roles, a role-based security restrictions can be position on various Web Application resources by using the <security-constraint> component in web.xml record accessible in WEB-INF catalog.The above xml characterizes a basic mapping between client name, password, and role. Determine that a given user may have various roles, for instance, client name=”both” is in the “tomcat” role and the “role1” role.

This is the accompanying entry in web.xml:

 

<web-app>
...
<security-constraint>
<web-asset collection>
<web-asset name>
Securedbooksite
</web-asset name>
<url-pattern>/secured/*</url-pattern>
<http-method>get</http-method>
<http-method>post</http-method>
</web-asset collection>
<auth-constraint>
<description>
Let just chiefs utilize this application
</description>
<role-name>manager</role-name>
</auth-constraint>
</security-constraint>
<security-role>
<role-name>manager</role-name>
</security-role>
<login-config>
<auth-method>basic</auth-method>
</login-config>
...
</web-app>

Above sections would mean:

  • A person with administrator role is offered resource to the assured resources.
  • Last, the login-config path is applied to explain the BASIC from authentication.

Thus, if you try browsing to any URL including the/security registry, it would present a dialogue box requesting user name and password.  If you provide a user “administrator” and password “secret” then just you would have access to the URL joint by/secured/* because above, we have structured client administrator  with manager role who is permitted to get to this resource.

FORM Based Authentication:

When you use the FORM authentication system, you must supply a login structure to prompt the guest for a username and watchword. Following is a basic code of login.jsp to make a structure for the same reason:

<html>

<body bgcolor="#eeeee">
   <form method="POST" action="j_security_check">
      <table border="0">
      <tr>
      <td>Login</td>
      <td><input type="text" name="j_username"></td>
      </tr>
      <tr>
      <td>Password</td>
      <td><input type="password" name="j_password"></td>
   </tr>
      </table>
      <input type="submit" value="Login!">
      </center>
   </form>
</body>
</html>

Here you need to verify that the login structure must contain structure components named j_username and j_password. The action in the <form> label must be j_security_check. POST must be used as the structure technique. Same time you would need to modify <login-config> tag to specify at-system as FORM:

<web-app>
...
    <security-constraint>
        <web-resource-collection>
            <web-resource-name>
               SecuredBookSite
            </web-resource-name>
            <url-pattern>/secured/*</url-pattern>
            <http-method>GET</http-method>
            <http-method>POST</http-method>
        </web-resource-collection>
        <auth-constraint>
            <description>
            Let only managers use this app
            </description>
            <role-name>manager</role-name>
        </auth-constraint>
    </security-constraint>
    <security-role>
               <role-name>manager</role-name>
    </security-role>
    <login-config>
      <auth-method>FORM</auth-method>
      <form-login-config>
        <form-login-page>/login.jsp</form-login-page>
        <form-error-page>/error.jsp</form-error-page>
      </form-login-config>
    </login-config>
...
</web-app>

Now when you attempt to get to any resource with URL/secured/*, it would show above structure requesting user ID and password. At the period when the compartment sees the “j_security_check” activity, it uses some inside process to confirm the caller.

When the login succeeds and the caller is approved to generate to the secured asset, then the holder uses a session-id to identify a login session for the caller begin there on. The container keeps up the login session with a cookie containing the school term-id. The server sends the treat over to the client, and the length of the caller gives this cookie resulting request, then the compartment will know who the caller is.