users@glassfish.java.net

[gf-users] Re: what type of web app security

From: Lane <software.research.development_at_gmail.com>
Date: Thu, 17 Apr 2014 20:29:15 -0500

Well, the idea is to allow any authenticated user to be able to access the
web-app, but each of the roles can only access specific pages. So, I think
we're on the same page. I'll look into that part of the spec.


On Thu, Apr 17, 2014 at 3:04 AM, Nithya Ramakrishnan <
nithya.subramanian_at_oracle.com> wrote:

> If what you intend to accomplish is to allow any authenticated user to be
> able to access the web-app,
> you can do so using the ** role in GF 4.
>
> The auth-constraint in the web.xml should be changed to:
>
> <auth-constraint>
> <description/>
> <role-name>**</role-name>
> </auth-constraint>
>
> There is no need of any further mapping of this role.
> The authorization check (to test if the user is in the ADMIN role) is not
> required in the Bean. It can simply authenticate (verify the user's
> credentials) .
>
> Please see Sec 13.8 in the Servlet 3.1 spec for more detailss:
>
> *"The special role name “**” is a shorthand for* *any authenticated user
> independent of role. When the special role name “**” appears* *in an
> authorization constraint, it indicates that any authenticated user,
> independent*
> *of role, is authorized to perform the constrained requests."*
>
> HTH
> Nithya
>
> On 4/17/2014 7:22 AM, Lane wrote:
>
> I have a small web app that I'm trying to secure in glassfish4. What I
> want to accomplish, is to be able to deploy one instance of the web app for
> different remote users. The remote user is the "app admin" and shall create
> other users and groups that will use the web app. These users do not know
> enough about working with the glassfish admin console, so their use is
> strictly within the application.
>
> I plan to host the app and keep it app infrastructure running.
>
> My problem is I'm a bit confused on the container managed way and me
> pulling
> from my own database, so I'm not sure of the method I should use to secure
> it in the way that I explained above. So I jumped right in trying to
> understannd it, and here's what I have so far (doesn't yet work, but I feel
> its close).
>
> Here is my index.xhtml page which uses primefaces.
> ---
> <h:panelGrid columns="3">
> <h:outputLabel for="username" value="Username: *"/>
> <p:inputText id="username" required="true" label="Username"
> value="#{loginController.username}">
> <f:validateLength minimum="3"/>
> </p:inputText>
> <p:message for="username"/>
> <h:outputLabel for="password" value="Password: *"/>
> <p:password id="password" required="true" label="Password"
> value="#{loginController.password}">
> </p:password>
> <p:message for="password"/>
> </h:panelGrid>
>
> <p:commandButton id="loginButton" value="Login"
> action="#{loginController.login}"/>
>
>
> And here is the backing bean.
> ---
> @EJB(name="ejb/LoginBean", beanInterface=ILogin.class)
> @ManagedBean(name="loginController")
> @ViewScoped
> public class LoginController {
> private boolean authenticated = false;
> private ILogin ilogin;
> private String username;
> private String password;
> private User user;
>
> public LoginController() {
> try {
> ilogin = (ILogin)
> (new
> InitialContext()).lookup("java:comp/env/ejb/LoginBean");
> }
> catch (Exception e) {
> e.printStackTrace();
> }
> }
>
> public String getUsername() {
> return username;
> }
>
> public void setUsername(String username) {
> this.username = username;
> }
>
> public String getPassword() {
> return password;
> }
>
> public void setPassword(String password) {
> this.password = password;
> }
>
> public boolean isAuthenticated() {
> return authenticated;
> }
>
> public String login() throws IOException {
> FacesContext context = FacesContext.getCurrentInstance();
> ExternalContext externalContext = context.getExternalContext();
> HttpServletRequest request =
> (HttpServletRequest) externalContext.getRequest();
>
> System.out.println("user: " + this.username);
> System.out.println("pass: " + this.password);
>
> try {
> request.login(this.username, this.password);
>
> user = ilogin.getUser();
>
> System.out.println("user.getUserName: " + user.getUserName());
> System.out.println("user.getPassWord: " + user.getPassWord());
>
> if (user.getUserName().equals(username)) {
>
> if (user.getPassWord().equals(password)) {
> authenticated = true;
>
> return "success";
> }
> }
>
> /*if (request.isUserInRole("ADMIN")) {
> return page;
> }
> else {
>
> }*/
> }
> catch (ServletException e) {
> e.printStackTrace();
> }
> catch (Exception e) {
> e.printStackTrace();
> }
>
> And I added this to my web.xml.
> ---
>
> <login-config>
> <auth-method>FORM</auth-method>
> <realm-name>JDBCRealm</realm-name>
> <form-login-config>
> <form-login-page>/faces/login.xhtml</form-login-page>
> <form-error-page>/faces/loginError.xhtml</form-error-page>
> </form-login-config>
> </login-config>
>
> <security-constraint>
> <display-name>Admin Pages</display-name>
> <web-resource-collection>
> <web-resource-name>Protected Admin Area</web-resource-name>
> <url-pattern>/faces/admin/*</url-pattern>
> <http-method>GET</http-method>
> <http-method>POST</http-method>
> <http-method>HEAD</http-method>
> <http-method>PUT</http-method>
> <http-method>OPTIONS</http-method>
> <http-method>TRACE</http-method>
> <http-method>DELETE</http-method>
> </web-resource-collection>
> <auth-constraint>
> <description/>
> <role-name>admin</role-name>
> </auth-constraint>
> </security-constraint>
>
> <security-constraint>
> <display-name>All Access</display-name>
> <web-resource-collection>
> <web-resource-name>None Protected User Area</web-resource-name>
> <description/>
> <url-pattern>/faces/users/*</url-pattern>
> <http-method>GET</http-method>
> <http-method>POST</http-method>
> <http-method>HEAD</http-method>
> <http-method>PUT</http-method>
> <http-method>OPTIONS</http-method>
> <http-method>TRACE</http-method>
> <http-method>DELETE</http-method>
> </web-resource-collection>
> <auth-constraint>
> <description/>
> <role-name>admin</role-name>
> <role-name>user</role-name>
> </auth-constraint>
> </security-constraint>
>
>
> I've also created user and group tables in my database.
>
> Any help much appreciated.
>
>
>
>
>
>
>
>
>
>
>