I wanted to get some more information on about form based authentication. I understand that the form based authentication mechanism is used when you want to protect certain server resources, like all jsps under a certain directory, and only make those URL's available to users with certain roles.
I am working on an application from scratch, just to get better at web development, and I have the form based authentication setup, and it is working fine. However, I would also like to build in the ability for users to login on the fly, using a 'Login' button, not just when they necessarily try to access a protected resource.
I know that when I tried to have the login button take the user to the login page that uses j_security_check as its action, the server yelled because I was directly accessing the login page, which makes sense because since I wasn't trying to access a protected resource, so I guess the server wouldn't know where to take me after I authenticate.
So, my question is, if I want to keep the form based authentication in place to protect some admin resources, but also have the ability for the user to just login on the fly using a login button, do I have to roll my own security, and have the form take me to a servlet(for example) that manually checks the username and password against the database, and set some attribute that says whether or not the user is logged in? How would that mesh with the server knowing whether or not I'm logged in? I know that there are some server side methods for getting the user, asking if they are in a certain role, etc, but isn't that all server managed, meaning I can't just say 'hey, I've authenticated the user myself, and this is who they are, it has to go through the form based authentication? I'm still learning web development. Thanks for the help.
The only way I can think of providing the behavior that you want is through a cookie that doesn't expire easy, which has its fair share of security concerns. It seems you want to have the ease of use that the "Login with Google", or "Login with Facebook" have. These tend to make heavy use of something called OAuth, and I don't think are applicable for your project.
Are you forced to login for a resource every single time you access it? You shouldn't be , as you seem to be using the servlet's form authenicator.
Related
I have a web PHP web application that has a link to a java web application. The php application has a login page, and a link to the the java application, but not every user has permission to access the java web application. What I was trying to do is send user credentials from the php application to the java application, and then the java application checks the credentials and if correct logs in the user. I was thinking of using http headers to do this.
So my question is what is how to send user credentials from a PHP application to a java application?
If it helps I am using a Java web framework called Vaadin.
Do a normal POST request from the PHP application to the java application. This can be done as simply as having a normal HTML form in the PHP application, set the form's method to "POST" and action to the java application's URL. If you want to catch HTTP parameters in a Vaadin application, you can do it by using request handlers (https://vaadin.com/book/vaadin7/-/page/advanced.requesthandler.html).
Then a few words of advice or something to at least consider. If your login page is in the PHP application and your "admin" application is the Vaadin application, then I discourage you from doing the credential checking in the Vaadin application. This is because when you enter the Vaadin application, a new application instance is created. This means that your UI will be initialized and whatever else you do in the UI's init method. What you probably want to do, is to hinder the user from entering the Vaadin application unless she is logged in - which means that you need to do the credential checking somewhere else - for example, have a separate servlet whose only responsibility is to log in the user. If login is granted, then give access to the Vaadin application, if access is denied, forward the user to the PHP login screen. The next question is, how do you hinder the user from accessing the Vaadin application until she is logged in? Typically, this is done using servlet filters.
I highly encourage you to use a 3rd party framework for doing the authentication and authorization. Take a look at http://shiro.apache.org/, it's easy to install and seems to work nicely together with Vaadin. All you need to do is to configure it and implement a login screen, the framework will take care of the rest.
If I understood your question, you want to be able to provide an "auto-login-link" to some specific users that are logged in to the PHP application. This link should automatically login the user to the java application, right?
Without knowing any details about this case, like are both apps running on the same domain or do they use the same database (same user credentials in both apps), etc., I would propose the following solution:
Create an action (link) on the java application, which receives the necessary parameters (as GET) needed for creating the session (probably userId is sufficient), timestamp and a signature of all parameters. For example:
http://javaapp.example.com/autologin?userId=123&timeStamp=123456789&sign=hj23kh4j234jk324h
Where the signature is calculated with some strong encryption algorithm. Then you verify that the signature is correct at the receiving end (java app). If it is correct, you create the session. Signature calculation could be something like:
$signature = sha1($userId . $timeStamp . 'some salt' . $sharedSecretBetweenBothApps);
With the timeStamp you are able to check that an old link is not used. For example not allow older than 15 min old links and store used links in the java app to make sure they are never re-used. You do not have to keep history of links older than the expiration time.
Another idea, as discussed in the comments, is creating an API on the java side, which is able to provide a one-time link.
The sha1 algorithm is probably not strong enough, but shows the idea and is simple to implement.
Does this answer your question?
I have a live spring web app running on amazon and I have recently found login attacks from various IPs. So far nothing has been compromised as the login system is secure enough, with complex passowrds, and encoding with salt etc..
However, I would like to prevent this.
One thing that the logs revealed was that the attackers are somehow able to reach my service classes (only the authenticaltion manager) circumventing my login page. I dont have a special url for login, but how is it possible to call the authentication manager/service etc without going via the login jsp ? I can see logging from loadUserByUsername() method of my authentication service class (which implements UserDetailsService).
Any help will be much appreciated.
Why do you need login.jsp, you can simulate a person posting the login form just by performing HTTP post with all the parameters right?
If all the request coming from the same IP, you can configure your firewall to block it. Other mechanism is to put a delay after a number of failures (eg 30min delay after 5 subsequent failures).
If you want to go further, two form authentication will increase security, eg perform sms confirmation if user is logging in from unknown IP / computer
I want to implement a stay logged in or remember me in my jsp login page. I am using container based form authentication. I think I need to I have to store users' data such as userid and token - a status information to determine whether as user is logged or not, into the cookies.
Also I heard that we should not store users' password even it is encrypted.
If I store their password and userid, I can sigh them in automatically by submitting the data to servlet before I show the login page to users.
If I do not store their password, what method could I use to sign them in automatically?
I would suggest that you not create your own framework for this but rather use something like spring-security or Apache Shiro since the security of your application is pretty important and not something you generally want to build from scratch.
If this is purely for educational purposes, I would suggest looking at the code for the two mentioned applications to see how they handle it.
I have seen this implemented as a secure token in the cookie (with expiration date) whose value is also stored on the server for a set period of time and associated with a specific user account. When the user returns to the site with that cookie, the server will compare it's token value to that of the cookie and let them in if they match (and it is not expired).
Again, it is best to use pre-existing and tested libraries for this kind of work.
Best of luck.
I have developed a web application on Struts2 and used JSP. I want to develop a login system and so cookie management for my web application. Everybody can see every page and there is no authorization for my website.
My question is that what are the steps of my work.
1) Login system
2) Cookie management
3) Authorization
will be done but where I should start and is there any good documents of that steps(for every step of what should I do)?
You can implement this using Sessions, which means you won't have to work with cookies (at least directly). Also keep in mind the difference between authentication (checking identity of a user) and authorization (checking users access rights). I usually implement:
a Login action (which authenticates the user in some way, and saves something to the session which I can latter check to see if the user is logged in...eg. a User object)
an authorization interceptor (which filters each request and checks that user is logged in and has access rights for that particular request....if not forward to login form).
Also keep in mind that this is a do-it-yourself quick way to do it, if you plan anything more you are better off with a security framework/lib of some sorts.
The cookie managment in Struts2 is an orphaned feature. There are ways of reading them using the framework, but no way to write them. Since you have to go directly to the ServletResponse to write cookies, you may as well use the ServletRequest directly to read them.
Check out this: http://www.dzone.com/links/r/working_with_cookies_in_struts_2.html
In my applications I use JavaScript for handling cookies, is more practical, and works well for me.
I'm building an app to let users export data from a university system. Currently, they can log in and see the data in HTML, but I would like to let people download it as CSV.
I have an app where users supply their username and password. I would like to log in to the university system and HTML scrape the resulting page. How can I do this?
I'm building a GWT app. I could either do this in Java-transliterated-JS on the client, or Java on the server.
Update: Selenium might be nice, but it looks like overkill.
You're going to have to do this from the server unless the domains are the same. You'd need to determine what the POST transaction used by the other server for the login step looks like - parameter names etc. Then you'd perform that operation and do whatever you want with what comes back. If you need to see multiple pages, you need to maintain the appropriate session cookie too so that the server knows you're still logged in on the subsequent HTTP requests.
If you have to hit another site to validate the credentials, then I'm not so sure that people should feel comfortable providing those credentials to you. That is, if you don't have rights to check the credentials directly, why are you trustworthy to receive them? I know sometimes people need to integrate with a system they don't own, so this is just a question.
First, this has to be done server-side because of the limitations on client scripting due to the same origin policy.
The typical way of handling the "screen scraping" you mention is to treat the web page as if it was an XML service. First, examine the source code of the page, then using an internet/HTTP stack, craft a POST to the correct URL and read the response using a standard XML library. It will take some ingenuity to come up with a good way to dig into the XML to find the piece you need that will be as insulated as possible from changes to the page. Keep in mind that your system can break any time that the owners of the site change their page.
Sometimes, you can't just send the POST but have to request the blank page initially in order to get hidden form values that need to be returned in the POST. You'll have to experiment to find out what it requires.
Additionally, you probably have to handle cookies as well, since they usually are an integral part of the web site's authentication and session management (though you might get lucky that the session doesn't matter between the initial POST and the first response).
Last, you may be unlucky enough that the site uses javascript to do part of the authentication work, which may require additional digging to understand how the credentials are posted to the site.
There are other potential barriers such as the site checking to see that the referrer is their own site, possible use of SSL (HTTPS) and so on.
I'm pretty sure that the protection against cross-site scripting in web browsers will mean that you can't log in to the university's app using javascript running in the web browser. So the part of your program that fetches data from the university will need to run on your server. Once you have the data, you can process it either on your server or in javascript in the browser, but I think it would be easier to do it on the server.
See http://en.wikipedia.org/wiki/Same_origin_policy
I'm not too sure about GWT, but in general, you would take the form data submitted by the user, check it against a database of username and hashed passwords. If the database checks out, set a session cookie that says the user is logged in.
In your pages, check if the session cookie say the user is logged in. If not, redirect to login page, otherwise allow them to view the pagfe.