Pace CS 396S - Adding Security to an Application

Unformatted text preview:

Adding Security to an ApplicationSome applications are just used by their developers, but others are made available to a number of clients. These people may either be in the same company or somewhere on the Internet. For these applications, it is often useful to have levels of access or at least a login involving a username and password.There are several ways to handle this. The most complete is to develop a custom login and use encryption, such as Secure Socket Layer (SSL). Here usernames and passwords are kept in a secure database, often with encryption. And they are sent over a secure network. This level of security is necessary for financial sites such as banks and brokerage houses.Other sites require security only when final ordering information, including credit card numbers, is gathered. Up until that point, shoppers or other visitors are free to investigate the site. Some also have registration and login requirements for visitors. These are also usually custom designed.But a web application can also have levels of security so that, for example, managers could have greater access to web pages than clerks. This can be built into the application using web.xml, the web applicationdeployment descriptor. The Tomcat server can have roles assigned to different users so that a manager’s role would have greater access than a clerk’s role.tomcat-users.xmlThe file, tomcat-users.xml, is contained in the conf folder of Apache Tomcat. It allows the manager of theserver to set up roles for clients.<?xml version='1.0' encoding='utf-8'?><tomcat-users><role rolename="tomcat"/><role rolename="role1"/><role rolename="store_clerk"/><role rolename="store_manager"/><user username="tomcat" password="tomcat" roles="tomcat"/><user username="both" password="tomcat" roles="tomcat, role1"/><user username="role1" password="tomcat" roles="role1"/><user username="store_clerk" password="clerk" roles="store_clerk"/><user username="Alice Lee" password="alee" roles="store_manager"/><user username="Diana Chen" password="dchen" roles="store_clerk"/></tomcat-users>The store_manager and store_clerk roles have been added here. They were not in the original file. With this addition, the store manager and store clerk will have access to web pages that someone, who is not a manager or clerk will not. However, they must know their passwords. (The passwords shown here are clearly inadequate.)web.xmlFor the manager to be recognized by the web application, several elements should be added to web.xml. These are added at the end, after the error-page tags.<web-app>…<servlet>1<servlet-name>org.apache.jsp.manager_jsp</servlet-name><servlet-class>org.apache.jsp.manager_jsp</servlet-class></servlet><servlet-mapping><servlet-name>org.apache.jsp.manager_jsp</servlet-name><url-pattern>/manage/*</url-pattern></servlet-mapping>…<error-page><error-code>404</error-code><location>/notfound.html</location></error-page><!-- The Security Constraint for this Application. --><security-constraint><web-resource-collection><web-resource-name>Application Manager</web-resource-name><url-pattern>/ manage /*</url-pattern><http-method>POST</http-method><http-method>GET</http-method></web-resource-collection><auth-constraint><role-name> store_manager</role-name><role-name> store_clerk</role-name></auth-constraint></security-constraint><security-role><role-name>store_manager</role-name></security-role><security-role><role-name>store_clerk</role-name></security-role><!-- The Login Configuration for this Application --><login-config><auth-method>FORM</auth-method><realm-name>EStore Application Manager</realm-name><form-login-config><form-login-page>/login.jsp</form-login-page><form-error-page>/error.jsp</form-error-page></form-login-config></login-config>The web-resource-collection contains the servlets or JSP files that will be constrained. Here there is only one, manager.jsp. The <auth-constraint> provides the role names of the clients that will have access to these servlets. It makes sense to have the manager page be a JSP file. Everything in the root directory of the application is available to the public, while all folders under that directory are not. Making the manager page into a JSP file rather than an HTML file, means that after it has been compiled, it can be removed from the root folder. Since any HTML file can also be saved as JSP, this is a way of protecting the page from unauthorized viewers.2. Something similar to the following code should be placed in the index file.<form method = "post" action="../application_name/ manage"><input type = "submit" value = "Manager Login" /></td></form>There are two kinds of login configurations. The one below is for a login form. The names used in the form are defined by the server. The action value must be j_security_check, the username, j_username, and the password, j_password. The login form looks like the following after Diana Chen enters her username and password.<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"><link rel='stylesheet' type='text/css' href='estyles.css' /><html><head><title>Login Page for E Store</title></head><body><form method="post" action='<%= response.encodeURL("j_security_check") %>' ><p>Username <input type="text" name="j_username"><br/>Password <input type="password" name="j_password"></p><p><input type="submit" value="Log In"><input type="reset"></p></form></body></html>If the login is incorrect, error.jsp will be displayed.<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"><link rel='stylesheet' type='text/css' href='estyles.css' /><html><head><title>Login Error Page</title></head><body><h3>Invalid username and/or password, please try<a href='<%= response.encodeURL("login.jsp") %>'> again</a>.</h3></body></html>3The file, manager.jsp, is used to display forms that the manager can use to find and change values. It appears below.<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"><link rel='stylesheet' type='text/css' href='estyles.css' /><html><head><title> Manager JSP. </title><script language="Javascript"><!--function MakeChoice (){window.open ("org.apache.jsp.change_jsp", "choiceWindow", "width=400, height=300");}//--></script></head><body><table><caption><h1>Store Manager</h1></caption><tr><td><h3>Display the products.</h3><form method="get" action="../estore/display"><p><input type="submit" value="Display" /></p></form></td><td><h3>Find a product.</h3><form method="get"


View Full Document
Download Adding Security to an Application
Our administrator received your request to download this document. We will send you the file to your email shortly.
Loading Unlocking...
Login

Join to view Adding Security to an Application and access 3M+ class-specific study document.

or
We will never post anything without your permission.
Don't have an account?
Sign Up

Join to view Adding Security to an Application 2 2 and access 3M+ class-specific study document.

or

By creating an account you agree to our Privacy Policy and Terms Of Use

Already a member?