1 / 34

Java Session Handling and Authentication Security Guide

Learn about Java session handling, user tracking, and authentication for secure web applications. Explore different session management methods and authentication techniques to enhance user security.

tasya
Download Presentation

Java Session Handling and Authentication Security Guide

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Session Handling Authentication and Security Joshua Scotton

  2. Overview • Sessions • Login and Authentication

  3. Sessions Tracking the User

  4. Tracking the User • Cookies • Store a unique identifier in a cookie for the website • URL Rewriting • Append a unique identifier to the end of each URL • Hidden Form Fields • <INPUT TYPE="HIDDEN" NAME="session" VALUE="...">

  5. Benefits • Customization • Adaptive Content • Adaptable Content • Security • Restrict areas of the site based on user • User login tracked using session • User Behaviour • Track page accesses • User Information • Store user settings and information

  6. javax.servlet.http.HttpSession • getAttribute(), getAttributeNames(), setAttribute(), removeAttribute() • These methods are used to set, get and remove objects from a user session • getId() • Every session created by the server has a unique 'id' associated with it in order to identify this session from other sessions. • getCreationTime() • Simple returns a long value indicating the date and time this session was created. • getLastAccessedTime() • Returns a long value indicating the last time user accessed any resource on this server. • getMaxInactiveInterval(), setMaxInactiveInterval() • Return and set the maximum inactive interval in seconds for this session respectively. • isNew() • Returns a boolean value indicating if the session is new. • invalidate() • Simply invalidates a session. Can be used for logout

  7. Sessions in Java • Most Java servers will use cookies if the browser supports them, but automatically revert to URL-rewriting when cookies are unsupported or explicitly disabled.

  8. Counter Example • Sessions can be accessed and managed by both Servlets and JSPs. • This can happen in combination as in the following demo.

  9. CounterBean public class CounterBean implements Serializable { private Integer count; public CounterBean() { super(); this.count = 0; } public Integer getCount() { return this.count; } public void setCount(Integer count) { this.count = count; } public void incrementCount() { this.count++; } }

  10. UpdateCounter.jsp <jsp:useBean id="counter" class="webdev.examples.sessions.CounterBean" scope="session"/> <p> The counter was: <%= counter.getCount() %> </p> <% counter.incrementCount(); %> <p> The counter is now: <%= counter.getCount() %> </p>

  11. UpdateCounterServlet PrintWriter out = response.getWriter(); HttpSession session = request.getSession(true); CounterBean counter; if(session.isNew()) { counter = new CounterBean(); session.setAttribute("counter", counter); } counter = ((CounterBean)session.getAttribute("counter")); counter.incrementCount(); out.println("Counter now: " + counter.getCount()); out.close();

  12. Login and Authentication Allowing Persistent Storage

  13. JSP and Servlet Authentication • A user accesses a protected page • If the user is authenticated and has permission to access the page then the resource is made available. Otherwise a login page is shown • If the name and password cannot be authenticated then an error is shown

  14. Security Setup • User/Group Database • Access Control List (ACL) • Login Page

  15. Principals and Roles • A Principal is a named entity, commonly representing an individual or corporation. • Principal’s can fill one or more Roles. • Resources can be protected by associating them with Roles. • Principals and Roles are similar to Users and Groups in Linux.

  16. /WEB_INF/web.xmlThe ACL of Java <web-app> ... <security-constraint> <web-resource-collection> <web-resource-name>Protected Page</web-resource-name> <url-pattern> /secretPage.jsp </url-pattern> </web-resource-collection> <auth-constraint> <role-name>employee</role-name> </auth-constraint> </security-constraint> <security-role> <role-name>employee</role-name> </security-role> <web-app>

  17. /WEB_INF/web.xml • <url-pattern>/members/*</url-pattern> • More than one url-pattern in the web-resource-collection

  18. HttpServletRequest Security Methods • Principal getUserPrincipal() • Returns a reference to a java.security.Principal • booleanisUserInRole(String) • Determines whether a user is in a role, specified by the string argument • String getRemoteUser() • Returns the username that was used for login

  19. ServletRequest Security Methods • String getAuthType() • Returns the authentication type: BASIC, SSL, or null • booleanisSecure() • Returns true if the connection is HTTPS • String getScheme() • Scheme represents transport mechanism: http, https...

  20. Authentication Types • Basic authentication • Form-based authentication • Digest authentication • SSL and client certificate authentication

  21. Authentication Type in /WEB_INF/web.xml <web-app> ... <login-config> <auth-method>BASIC</auth-method> <realm-name>Basic Authentication Example</realm-name> </login-config> ... </web-app>

  22. Realms • A realm is a database of usernames and passwords • It also contains a list of roles associated with each user • Realms are specific to the server being used

  23. Tomcat Realms • JDBCRealm - Accesses authentication information stored in a relational database, accessed via a JDBC driver. • DataSourceRealm - Accesses authentication information stored in a relational database, accessed via a named JNDI JDBC DataSource. • JNDIRealm - Accesses authentication information stored in an LDAP based directory server, accessed via a JNDI provider. • UserDatabaseRealm - Accesses authentication information stored in an UserDatabase JNDI resource, which is typically backed by an XML document (conf/tomcat-users.xml). • MemoryRealm - Accesses authentication information stored in an in-memory object collection, which is initialized from an XML document (conf/tomcat-users.xml). • JAASRealm - Accesses authentication information through the Java Authentication & Authorization Service (JAAS) framework.

  24. Configuring a Realm • <Realm className="... class name for this implementation" ... other attributes for this implementation .../> • Serverwide - conf/server.xml • Per Webapp – META-INF/context.xml

  25. In Memory Realm Context.xml <?xml version="1.0" encoding="UTF-8"> <Context> <Realm className="org.apache.catalina.realm.MemoryRealm" /> </Context>

  26. Default Tomcat User List • $TOMCAT_HOME/conf/tomcat-users.xml <tomcat-users> <role rolename="tomcat"/> <role rolename="role1"/> <user username="tomcat" password="tomcat“ roles="tomcat"/> <user username="both" password="tomcat“ roles="tomcat,role1"/> <user username="role1" password="tomcat“ roles="role1"/> </tomcat-users>

  27. Example – members.jsp • members.jsp • web.xml • context.xml

  28. Example – logout.jsp <p>User '<%= request.getRemoteUser() %>' has been logged out.</p> <% session.invalidate(); %>

  29. Form-based Authentication • The login form associated with the security constraint is sent to the client and the URL path triggering the authentication is stored by the container. • The user is asked to fill out the form, including the username and password fields. • The client posts the form back to the server. • The container attempts to authenticate the user using the information from the form. • If authentication fails, the error page is returned using either a forward or a redirect, and the status code of the response is set to 200. • If authentication succeeds, the authenticated user's principal is checked to see if it is in an authorized role for accessing the resource. • If the user is authorized, the client is redirected to the resource using the stored URL path.

  30. Form-based Authentication • Create custom login page with the following form fields: • j_username • The name of the username field • j_password • The name of the password field • j_security_check • The login form's action <form method='post' action='j_security_check'> <input type='text' name='j_username'> <input type='password' name='j_password'> </form>

  31. Form-based Auth in web.xml <login-config> <auth-method>FORM</auth-method> <form-login-config> <form-login-page> /login.jsp </form-login-page> <form-error-page> /error.jsp </form-error-page> </form-login-config> </login-config>

  32. Form Based Login Example

  33. Storing Authentication Details in a Database • Use a JDBC Database Realm • Create table of usernames and passwords • Create table of usernames and roles • Column name for the username must be the same in both tables

  34. org.apache.catalina.realm.JDBCRealm • connectionName • connectionPassword • connectionURL • driverName • roleNameCol • userCredCol • userNameCol • userRoleTable • userTable • http://tomcat.apache.org/tomcat-3.3-doc/JDBCRealm-howto.html

More Related