I have a small application with 3-4 servlets and a basic module that provide me authentication like:
public class Authentication {
public boolean isUserAuthenticated(){
....
}
}
Is there a way to check the authentication using my class BEFORE every other servlet calls, without have to add code in each of them? I'd like to avoid the check of the user for every servlet I have and for every servlet I will have to add.
Any suggestion is well accepted :)
Thanks, Roberto
Absolutely, use a servlet filter. It's the standard way of implementing security in Java Web applications.
The Java Servlet specification version
2.3 introduces a new component type, called a filter. A filter dynamically
intercepts requests and responses to
transform or use the information
contained in the requests or
responses. Filters typically do not
themselves create responses, but
instead provide universal functions
that can be "attached" to any type of
servlet or JSP page.
You can put your authentication logic in a Servlet Filter. If the filter finds a request not authenticated, it can redirect the user to a login page (or whatever).
Anything that gets to a servlet is implicitly authenticated by then.
Use Acegi Security (now Spring Security). Using Spring will also make your life easier in other ways. (Spring security works using a servlet filter as mentioned in above posts).
User Authentication can be done though servlet filters.
Check the detailed example User Authentication Filter Example
Related
I was following this tutorial to create form-based authentication in for my jboss java EE 6 application.
However it has no code for the login servlet. After searching other resources I found that the login servlet code is not mentioned anywhere.
Where can I find the code for the login servlet? Maybe its very basic, but I am new to Java and I can't write it myself.
The tutorial doesn't have servlet code because the security is provided by the container itself and container security is configured using the deployment descriptor.
You may read this article for further information and decide whether you use the container security or a custom implementation.
At Stormpath, we have a ready-to-use login Servlet that you could use. The only caveat is that it requires Servlet 3.0 or later and it is coupled to our own User Management service.
Our Login Servlet will automate all user registration, login, authentication and authorization workloads.
Take a look at this one page long quickstart: https://docs.stormpath.com/java/servlet-plugin/quickstart.html. It will describe the few steps that you need to carry out to integrate it into your app.
BTW, the Servlet Plugin is completely open source; the code is here in case you want to take a look at it.
I am learning Spring and trying to implement Springs Security. I am not able to understand how it works. I read tutorials from which I understood the following:
we have to configure web.xml for delegating proxy and pattern
we need to add intercepts to dispatcher-servlet.xml
When request is made it triggers intercepts but after that I am unable to understand how it works. It would be helpful if somebody could provide a list of steps to be followed. I am using Hibernate and Spring (both with annotations), I want to authenticate users using Hibernate.
A detailed article can be found here: Code Project Or a tutorial with MVC and Spring Security here.
I tried to illustrate the process a little bit:
The user sends a HTTP-Request to the server
The server processes the request according to the web.xml
The web.xml contains a filter (AKA interceptor) and passes the request through this filter.
Because the user is unknown/not authenticated, Spring Security does its best to get more details.Depending on the config, it
sends an HTTP header, so that a login popup pops up in the browser (client side).
redirects to a form where you can enter username and password.
does a lot of hidden interaction between server and browser to guarantee a "Single-Sign-On" (SSO)
Except for SSO the user enters her/his/its credentials and create an additional request.
Spring Security realizes the login attempt and authenticates the user against a
file with user and passwords
a built-in XML structure in a spring config file
a database
an LDAP
When the access is granted, it assignes the necessary roles...
...and redirects to hard-coded "home page". (Spring Security let's you adjust this behaviour.)
In your application you can check the authorization for certain actions
.....
The user clicks on "logout" or the session expires. With the next request the process starts again.
Annotations
I found a tutorial here (Link).
I understood/assume the following facts:
The filters still must be defined in the web.xml.
You can annotate your classes/methods with
#Controller (API)
#Secured (API)
#RequestMapping (API)
I admit that I only gave you a rough overview, because your question is not that specific.
Please let me know what you want to learn in detail (re-recognize users, authenticate against different resources, do a SSO, create a secured area on your webpage,...)
Spring uses a dispatcher servlet for delegating the request. Spring security filters the request and checks if a valid security context is established. If so the request is passed to the dispatcher and it passes the request forward to the corresponding controller. If no security context is established, Spring security intercepts the request which means he could manipulate the request before the diespatcher servlet could process it. During this interception the request dispatcher (Servlet Specification) will be assigned to forward the request to a login page.
I think you don't have to bother with xml anymore. Now you can use Spring Boot + annotation based configuration. One of the best tutorial I found is this one: A good spring security tutorial
There are some good step-by-step tutorials on how to integrate spring security. For example:
For Java config: http://jtuts.com/2016/03/03/spring-security-login-form-integration-example-with-java-configuration/
For XML config: http://jtuts.com/2016/03/02/spring-security-login-form-integration-example-with-xml-configuration/
some of you advise me to handle sessions using filters. I studied a little about the filter following some guides found on the internet, and wrote a filter referring this guide.
I saw that the filter is called for every component of my page (css, images etc); is there a way to call it just when a jsp or a servlet is load? I need a method that can understand if jsp or a servlet is load, in order to make some stuff inside my filter.
Yes, you can do that. Just change the url-pattern for your session filter.
If you are using some web framework (spring mvc,...) with one dispatching servlet, you can map your filter only to this servlet using servlet-name and requests to other resources (js, css) will not be intercepted by this filter.
First off, please don't be misled by the purpose of the tutorial in the link you have specified. Session handling is always done through cookies, URL-rewriting (or for the more advanced, SSL). He's merely using filters to enhance application security, by ensuring the user is redirected to the login page, whenever he goes directly to an "avoid-url".
Think about a filter, a physical filter. Whether it be an excel filter or a physical gravel filter. It stands between one thing and another thing:
Java web filters can do the same thing:
Just like you can choose which water bottle to filter, you can decide which requests you want to filter. You do that using the filter-mapping element in web.xml. You can specify individual servlet names, or a url pattern.
I am coding a Tomcat application and am authenticating against Google's oauth2 services. I was originally going to write a simple Filter to do the authentication but there is no way to set the user principal in a Filter. From my understanding you have to have the Filter call an implemented HttpServletRequestWrapper and set it inside of that class as seen in this post
I'm pretty sure Tomcat only instantiates one Filter of each type you may have defined and all requests go through this single object down the Filter chain (correct me if I'm wrong).
In the linked to code, is it correct for the code to call
next.doFilter(new UserRoleRequestWrapper(user, roles, request), response);
where every request is instantiating a new UserRoleRequestWrapper? Should this Filter instead have one request wrapper instatiated that gets shared amonsgst all requests? I'm having a hard time finding documentation on the specs of classes such as these.
I don't think that a Filter is what you're looking for. Doesn't seem right for this purpose... Filters weren't created for such use cases; they were created for pre/post processing requests and responses, with emphasis on manipulating the actual request/response data, rather than other aspects of the client-server communication (such as security). Remember, authenticating a user may have further repercussions than just handling HTTP request cycles. Security ties into the JavaEE framework in a lower level than HTTP cycles.
If you want to authenticate against oauth2, you should be far better off implementing some sort of a JAAS implementation for it, and plug it into Tomcat.
I'd like a custom authentication and authorization solution which is different to BASIC or FORM methods. Actually it is like a enhanced version of j_security_check.
In the mean time, I like my solution to use the standard settings such as URL patterns, names, and roles.
Is that possible by using Servlet filters? Or can I "extend" j_security_check?
Thanks.
I used AuthenticRoast once for a project. It implements a JSR-196 authentication provider using an custom authentication/authorization provider.
Otherwise you have to completely implement a JSR-196 a JAAS module