1 / 19

Authentication

Learn about the two ways to implement secure authentication in Telosys for web applications using the standard JavaEE web container or a specific authentication filter. Explore basic and form authentication methods and configure your application server accordingly.

rsnider
Download Presentation

Authentication

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Authentication Laurent Guérin / V 1.0 / 2008 – May( for Telosys 0.9.9 and + )

  2. Telosys authentication • The 2 ways … • Standard JavaEE Web Container authentication :Let the server authenticate the userThe authentication mechanism could be shared between different applications • Specific authentication dedicated to an application :Each application can implement its own authentication system based on the Telosys authentication filter Telosys Authentication ( Laurent Guérin / ver 1.0 )

  3. Standard JavaEEauthentication

  4. Standard JavaEE authentication • Each Telosys application, as a standard Web App, can delegate the authentication to the JavaEE Web Container (Tomcat, Weblogic, Websphere, …). • In this case, just use the classical “security realm” mechanism : • Configure your application server • Choose an authentication scheme to protect the application resources :Basic, Form, Digest or Client Certificate • Configure your application via the “web.xml” file Telosys Authentication ( Laurent Guérin / ver 1.0 )

  5. BASIC and FORM authentication • web.xml example : <security-constraint> <web-resource-collection> <web-resource-name>My application</web-resource-name> <url-pattern>/*</url-pattern> </web-resource-collection> <auth-constraint> <description>User must have 'myrole' role</description> <role-name>myrole</role-name> </auth-constraint> </security-constraint> <login-config> <auth-method>BASIC</auth-method> <realm-name>my realm name</realm-name> </login-config> <login-config> <auth-method>FORM</auth-method> <realm-name>my realm name</realm-name> <form-login-config> <form-login-page>/login.jsp</form-login-page> <form-error-page>/login_error.jsp</form-error-page> </form-login-config> </login-config> BASIC authentication FORM authentication Telosys Authentication ( Laurent Guérin / ver 1.0 )

  6. BASIC authentication • Navigator dialog box • No specific form needed • Login/password is base64 encoded (no encryption) • Login/password is sent in each request (easy to hack) • No logout mechanism Telosys Authentication ( Laurent Guérin / ver 1.0 )

  7. FORM authentication • Authentication FORM example (can be used in “.jsp” or “.html” ) : <form method="POST" action="j_security_check" > <table align="center"> <tr> <td>Login :</td> <td><input type="text" maxlength="20" width="180" name="j_username"/> </td> </tr> <tr> <td>Password :</td> <td><input type="password" maxlength="20" width="180" name="j_password"/> </td> </tr> <tr> <td><input type="submit" value="Submit" ></td> <td><input type="reset" value="Reset" ></td> </tr> </table> </form> Telosys Authentication ( Laurent Guérin / ver 1.0 )

  8. FORM authentication • Login/password is sent as request parameter • Sent without encryption ( => use SSL ) • Based on the session • Login/password not sent in each request • Logout by “session.invalidate()” Telosys Authentication ( Laurent Guérin / ver 1.0 )

  9. Telosysauthentication

  10. Telosys authentication • Check that the “authentication filter” is defined in the “web.xml” • The “authentication filter” managed 2 kinds of authentication (see 'telosys.properties' ) : • BASIC browser dialog box authentication ( if the LoginPage property is NOT defined ) • Specific LOGIN PAGE authentication ( if the LoginPage property is defined ) <filter> <filter-name>AuthFilter</filter-name> <filter-class>org.objectweb.telosys.auth.AuthFilter</filter-class> </filter> <filter-mapping> <filter-name>AuthFilter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> Telosys Authentication ( Laurent Guérin / ver 1.0 )

  11. Telosys.properties • Common properties LoginMaxTries=5 FirstPage=/welcome.jsp AuthenticationRequired=false LoginErrorPage=/login_error.jsp NoAuthPage1=/page_aaa.jsp NoAuthPage2=/other_page ... NoAuthPageN=xxxxx The maximum number of tries ( default : 3 ) The default first page where to go after a successful user authentication if true : an authentication is required to open a "Telosys ScreenSession" The page to use when the authentication fail ( after n tries ) List of page accessible without authentication ( No Authentication for those pages ) number from 1 to N Telosys Authentication ( Laurent Guérin / ver 1.0 )

  12. Telosys.properties • Properties for Basic authentication • Properties for Login Page authentication RealmName = Application name The realm name to print in the dialog box ( if not set the context name will be used ) LoginPage=/login.jsp LoginAction=/login_submit The JSP or HTML page to use for login ( if not set, BASIC authentication is used ) The URI used when the page submit the request ( default : "/login_action" ) Telosys Authentication ( Laurent Guérin / ver 1.0 )

  13. Login JSP • "form" example : • Parameters names : • user_login • user_password <form method="POST" action="<%= request.getContextPath() %>/login_action" > <table align="center"> <tr> <td>Login :</td> <td><input type="text" name="user_login"/></td> </tr> <tr> <td>Password :</td> <td><input type="password" name="user_password"/></td> </tr> <tr> <td><input type="submit" value="Submit" ></td> <td><input type="reset" value="Reset" ></td> </tr> </table> </form> Telosys Authentication ( Laurent Guérin / ver 1.0 )

  14. Implements your own authentication • Create a Java class that implements the “IUserValidator” interface. • Create a Java class the implements the“IAppUser” interface. • Update the “IExternalMainFactory” implementation : the getUserValidator method must return your implementation of “IUserValidator” • Implementations examples are provided in the StarterKit : • User.java • UserValidator.java • MainFactory.java Telosys Authentication ( Laurent Guérin / ver 1.0 )

  15. Remove Telosys authentication • To remove Telosys authentication … • Remove the “filter mapping” of the“Telosys authentication filter” in the “web.xml” • Set “AuthenticationRequired” to “false” in the “telosys.properties” ( so that anyone can open a ScreenSession ) Telosys Authentication ( Laurent Guérin / ver 1.0 )

  16. Current user & logout

  17. Telosys current user • The current user is stored in 2 instances located in the ScreenSession : • LoginUser instance : the “technical login” • IAppUser instance : the “application user” • The “application user” must implements the “IAppUser” interface and can provide any other information about the user • How to retrieve the current application user : LoginUser loginUser = screenSession.getLoginUser(); String s = loginUser.getLogin(); IAppUser appUser = screenSession.getAppUser(); s = appUser.getFirstPage() s = appUser.getLanguage() s = appUser.getRole() Telosys Authentication ( Laurent Guérin / ver 1.0 )

  18. How to logout • The simplest way to logout, is to create a simple Service to close the current session • Example : public class Logout extends StandardScreenService { public View execute(ScreenSession screenSession, ServiceRequest serviceRequest, ServiceResponse serviceResponse) throws TelosysException { HttpSession httpSession = screenSession.getHttpSession(); screenSession.close(); httpSession.invalidate(); return null ; // for AJAX call } } Telosys Authentication ( Laurent Guérin / ver 1.0 )

  19. THE END

More Related