Server-side Web Programming Lecture 18: User Authentication and Security Roles Restricting Access to Web Resources • • May only want some users to be able to access certain pages Example: Course web site Course Syllabus View Current Grade Take Online Quiz Set Grades Create Online Quiz Anyone Students registered for course Instructor Security Roles and Resources • Define what types of users have access to what types of resources – Note that roles may overlap – Some roles may have access to multiple resources View inventory Add to inventory Change prices in inventory Inventory Role View salaries HR Role Change salaries Manager Role Security Roles and Users • Users have roles – Controls what resources and individual user has access to – A user may have multiple roles User Role(s) Homer Inventory Marge HR Smithers Inventory, HR Burns Manager User Identification • Password-based in Tomcat – Not most secure method! Request for resource Tomcat Response prompts for username and password Request contains username, password Sent as response if correct Resource Error page sent as response if incorrect Defining Roles in Tomcat • In web.xml file of application – First define roles Defining Roles in Tomcat • Define resources those roles have access to – Simplest method: Create subdirectory off of main application directory Files in here only accessible by employee role Files in here only accessible by manager role – Use a url pattern of the form /subdirectory/* to define secure areas • /employee/* • /manager/* Defining Roles in Tomcat • tag – tag defines what directories are restricted – tag defines which roles have access Files in this subdirectory May only be accessed by users in these roles Defining User Roles in Tomcat • For each user: – Username and password – Role(s) they assume • Where can they be stored? – tomcat-users.xml file in conf directory • Simple to implement • Difficult to manage if have thousands of users in dozens of roles – Separate database User Roles in tomcat-users.xml • In tomcat-users.xml file: – Define roles with tag – Define users with tag • Username, password, and roles defined • Roles can be list Defining User Roles in a Database • Must provide information about database in context.xml – Subdirectory of META-INF in application directory – Add tag of form: Driver name Name and password to access database Name of tables with passwords and roles Field names: Password table uses userNameCol, userCredCol Roles table uses userNameCol, roleNameCOl Defining User Roles in a Database • Form of database tables: Passwords Name Password Burns excellent Homer donut Roles Name Role Burns manager Homer employee Types of Authentication • BASIC Password prompt generated automatically • FORM Can define own prompt and error pages BASIC Authentication • Add tag to web.xml – Will continue to prompt as long as login incorrect FORM Authentication • Must specify login page and error page FORM Authentication • • ACTION of login form must be j_security_check Must use specific field names in login form – Name field must be j_username – Password field must be j_password FORM Authentication ... Change salaries Manager Role Security Roles and Users • Users have roles – Controls what resources and individual user has access to – A user may have multiple roles User Role(s) Homer Inventory... have thousands of users in dozens of roles – Separate database User Roles in tomcat-users.xml • In tomcat-users.xml file: – Define roles with tag – Define users with tag • Username,... Name and password to access database Name of tables with passwords and roles Field names: Password table uses userNameCol, userCredCol Roles table uses userNameCol, roleNameCOl Defining User Roles