users@glassfish.java.net

[gf-users] Re: what type of web app security

From: Nithya Ramakrishnan <nithya.subramanian_at_oracle.com>
Date: Thu, 17 Apr 2014 13:34:19 +0530

If what you intend to accomplish is to allow any authenticated user to
be able to access the web-app,
you can do so using the ** role in GF 4.

The auth-constraint in the web.xml should be changed to:

     <auth-constraint>
         <description/>
         <role-name>**</role-name>
     </auth-constraint>

There is no need of any further mapping of this role.
The authorization check (to test if the user is in the ADMIN role) is
not required in the Bean. It can simply authenticate (verify the user's
credentials) .

Please see Sec 13.8 in the Servlet 3.1 spec for more detailss:

/"The special role name “**” is a shorthand for////any authenticated
user independent of role. When the special role name “**” appears////in
an authorization constraint, it indicates that any authenticated user,
independent//
//of role, is authorized to perform the constrained requests."/

HTH
Nithya
On 4/17/2014 7:22 AM, Lane wrote:
> I have a small web app that I'm trying to secure in glassfish4. What
> I want to accomplish, is to be able to deploy one instance of the web
> app for different remote users. The remote user is the "app admin" and
> shall create other users and groups that will use the web app. These
> users do not know enough about working with the glassfish admin
> console, so their use is strictly within the application.
>
> I plan to host the app and keep it app infrastructure running.
>
> My problem is I'm a bit confused on the container managed way and me
> pulling
> from my own database, so I'm not sure of the method I should use to
> secure it in the way that I explained above. So I jumped right in
> trying to understannd it, and here's what I have so far (doesn't yet
> work, but I feel its close).
>
> Here is my index.xhtml page which uses primefaces.
> ---
> <h:panelGrid columns="3">
> <h:outputLabel for="username" value="Username: *"/>
> <p:inputText id="username" required="true" label="Username"
> value="#{loginController.username}">
> <f:validateLength minimum="3"/>
> </p:inputText>
> <p:message for="username"/>
> <h:outputLabel for="password" value="Password: *"/>
> <p:password id="password" required="true" label="Password"
> value="#{loginController.password}">
> </p:password>
> <p:message for="password"/>
> </h:panelGrid>
>
> <p:commandButton id="loginButton" value="Login"
> action="#{loginController.login}"/>
>
>
> And here is the backing bean.
> ---
> @EJB(name="ejb/LoginBean", beanInterface=ILogin.class)
> @ManagedBean(name="loginController")
> @ViewScoped
> public class LoginController {
> private boolean authenticated = false;
> private ILogin ilogin;
> private String username;
> private String password;
> private User user;
>
> public LoginController() {
> try {
> ilogin = (ILogin)
> (new
> InitialContext()).lookup("java:comp/env/ejb/LoginBean");
> }
> catch (Exception e) {
> e.printStackTrace();
> }
> }
>
> public String getUsername() {
> return username;
> }
>
> public void setUsername(String username) {
> this.username = username;
> }
>
> public String getPassword() {
> return password;
> }
>
> public void setPassword(String password) {
> this.password = password;
> }
>
> public boolean isAuthenticated() {
> return authenticated;
> }
>
> public String login() throws IOException {
> FacesContext context = FacesContext.getCurrentInstance();
> ExternalContext externalContext = context.getExternalContext();
> HttpServletRequest request =
> (HttpServletRequest) externalContext.getRequest();
>
> System.out.println("user: " + this.username);
> System.out.println("pass: " + this.password);
>
> try {
> request.login(this.username, this.password);
>
> user = ilogin.getUser();
>
> System.out.println("user.getUserName: " + user.getUserName());
> System.out.println("user.getPassWord: " + user.getPassWord());
>
> if (user.getUserName().equals(username)) {
>
> if (user.getPassWord().equals(password)) {
> authenticated = true;
>
> return "success";
> }
> }
>
> /*if (request.isUserInRole("ADMIN")) {
> return page;
> }
> else {
>
> }*/
> }
> catch (ServletException e) {
> e.printStackTrace();
> }
> catch (Exception e) {
> e.printStackTrace();
> }
>
> And I added this to my web.xml.
> ---
>
> <login-config>
> <auth-method>FORM</auth-method>
> <realm-name>JDBCRealm</realm-name>
> <form-login-config>
> <form-login-page>/faces/login.xhtml</form-login-page>
> <form-error-page>/faces/loginError.xhtml</form-error-page>
> </form-login-config>
> </login-config>
>
> <security-constraint>
> <display-name>Admin Pages</display-name>
> <web-resource-collection>
> <web-resource-name>Protected Admin Area</web-resource-name>
> <url-pattern>/faces/admin/*</url-pattern>
> <http-method>GET</http-method>
> <http-method>POST</http-method>
> <http-method>HEAD</http-method>
> <http-method>PUT</http-method>
> <http-method>OPTIONS</http-method>
> <http-method>TRACE</http-method>
> <http-method>DELETE</http-method>
> </web-resource-collection>
> <auth-constraint>
> <description/>
> <role-name>admin</role-name>
> </auth-constraint>
> </security-constraint>
>
> <security-constraint>
> <display-name>All Access</display-name>
> <web-resource-collection>
> <web-resource-name>None Protected User Area</web-resource-name>
> <description/>
> <url-pattern>/faces/users/*</url-pattern>
> <http-method>GET</http-method>
> <http-method>POST</http-method>
> <http-method>HEAD</http-method>
> <http-method>PUT</http-method>
> <http-method>OPTIONS</http-method>
> <http-method>TRACE</http-method>
> <http-method>DELETE</http-method>
> </web-resource-collection>
> <auth-constraint>
> <description/>
> <role-name>admin</role-name>
> <role-name>user</role-name>
> </auth-constraint>
> </security-constraint>
>
>
> I've also created user and group tables in my database.
>
> Any help much appreciated.
>
>
>
>
>
>
>
>
>