BASIC and FORM-based Authorization in Your Web Application
In the development of any, more-or-less big Web application, every developer collides at times with the problem of how to bear certain parts of the application in the protected area and to divide access to them by login and password. How do you carry out authentication? Actually, there are a lot of variants. In this article, we do not present a problem to consider all possibilities; our purpose is to learn how to work with the simplest yet rather convenient method of authorization. We will talk about BASIC and FORM-based authorizations. As a Web server, we will consider Tomcat, which provides BASIC and FORM-based authentication through server.xml and web.xml files; the use of a j_security_check form (for FORM-based) in a JSP page that requires two parameters j_username and j_password; and specifying roles (groups) within the SQL database. As you can see, it's a flexible, useful, and necessary set of capabilities.
To begin with, you need to download Tomcat, which we will use as a Web server and MySQL, which we will use as a SQL server. Also, you need to download the JDBCRealm tool which will be used with Tomcat, and the MySQL Connector/J to use with MySQL.
We assume you have installed Tomcat and MySQL properly, so we can start right from the server's configuration. Of course, you also need to install the MySQL Connector/J driver, and I strongly recommend using only stable releases of the driver because, in some cases, alpha/beta versions of the driver do not work in the given sheaf.
First of all, we will work with the SQL database. Honestly speaking, MySQL, as well as Tomcat, is pretty universal, and doesn't depend on the OS in which you are using it (Windows or Unix-like system), so the process of configuration will be absolutely the same; it doesn't matter where you run it.
Execute the mysql client from the installation binary directory and type:
create database weblogin;
This will create the weblogin database in which we will keep user names, passwords, roles—everything. Thus, any changes you have made to the database directly (new users, changed passwords or roles, and so forth) will be reflected immediately.
create table users ( login varchar (15) not null, pass varchar (15) not null, primary key (login) );
We will keep the user's login and password in this users table.
create tables groups ( login varchar (15) not null, group varchar (15) not null, primary key (login, group) );
As you can see, we will keep information about which login belongs to which group in this groups table. Let's fill our tables with some test data and finish the process of MySQL configuration:
insert into users ('green', 'testpwd'); insert into groups ('green', 'testgroup');
So, we created the user green with the password testpwd in the group testgroup. And now, it's Tomcat's turn to be configured.
Tomcat itself has no ability to work with the database to carry out authentication. However, there is JDBCRealm for these purposes; we are going to use that.
We will start our configuration from Tomcat's \conf\server.xml file. Open this file and find the following string:
<Realm className="org.apache.catalina.realm.MemoryRealm" />
Remove this line or just comment it by using <!-- ... --> Instead of it, we will use JDBCRealm. Type the following:
<Realm className="org.apache.catalina.realm.JDBCRealm" debug="99" driverName="org.gjt.mm.mysql.Driver" connectionURL="jdbc:mysql://localhost/weblogin?user=test&password=test" userTable="users" userNameCol="login" userCredCol="pass" userRoleTable="groups" roleNameCol="group" />
We will consider all mentioned fields in a bit more detail:
- debug—Here, we set the debug level. A higher number generates more detailed output.
- driverName—The name of our MySQL driver. You need to be sure that the driver's JAR file is located in Tomcat's CLASSPATH.
- connectionURL—The database URL that is used to establish a JDBC connection. In this field, weblogin is the name of our database; user and password are login data with which you are connecting to the database. In MySQL, such a user is created by default, so you can use it. In case you don't have such a user, you need to create your own user and make it capable of working with your weblogin database.
- userTable—A table with at least two fields, defined in userNameCol and userCredCol.
- userNameCol and userCredCol—The fields with the name of login field from the users table and pass.
Now, we are at the stage of finishing the configuration process. We need to configure your Web application to be protected with such an authentication. Below, we show examples of two configurations. The simplest is a BASIC authentification method, and a little more original method is a FORM-based one. In the first case at attempting to access the protected area, a pop-up window will appear with the requirement to enter your login and password. In the second case, we will get a page on which we will pass authentification on our defined JSP. The contents of a page can be anything; it should meet only few simple requirements on the contents of a HTML <form> tag. It is up to you what authorization methods you will use.
Basic authorization method
Let's assume that our Web application is located in Tomcat's \webapps\webdemo, and we need to protect all files placed in the admin subdirectory. We need to open its \webapps\webdemo\WEB-INF\web.xml file and type the following text:
<security-constraint> <web-resource-collection> <web-resource-name>Web Demo</web-resource-name> <url-pattern>/admin/*</url-pattern> </web-resource-collection> <auth-constraint> <role-name>testgroup</role-name> </auth-constraint> </security-constraint> <login-config> <auth-method>BASIC</auth-method> <realm-name>Web Demo</realm-name> </login-config>
Let me say a few words about what we just did. We created web-resource-name for our application and mapped login-config to this resource. We defined url-pattern, which has information about which sub-directory of our entire application will be protected, and which role-name is allowed to access the protected area. In login-conf, we defined a BASIC auth-method.
Pretty easy, isn't it? Do not forget to stop and re-start Tomcat to make these our changes work.