How does real world login process happen in web application in Java?
I am very much confused regarding login process that happen in Java web application. I read many tutorials regarding jdbcRealm and JAAS. But, one thing that i don't understand is that why should i use them ? Can't i simply check directly against my database of users? and once they successfully login to the site, i store some variable in session as a flag. And probably check that session variable on all restricted pages (I mean keep a filter for restricted resources url pattern).If the flag doesn't exist simply redirect the user to login page. Is this approach correct?Does this approch sound correct? If yes, then why did all this JAAS and jdbcRealm came into existence?
Secondly, I am trying to completely implement SAS(Software as service) in my web application, meaning everything is done through web services.If i use webservices, is it possible to use jdbcRealm? If not, then is it possible to use JAAS? If yes, then please show me some example which uses mySql as a database and then authenticates and authorizes. I even heard about Spring Security. But, i am confused about that to开发者_开发技巧o in the sense that how do i use webservice with Spring Security.
Please help me. I am really very confused. I read sun's tutorials but they only keep talking about theories. For programmers to understand a simple concept, they show a 100 page theory first before they finally come to one example.
Yes, you can do it yourself.
However these things exists so you don't need to implement it yourself. They're written by very smart people, they're tested, it works. If you want to do this yourself, are you sure you won't introduce any bugs ? Are you sure users won't be able to circumwent the login ? (the last time I saw someone implement this himself, the user could simply bypass all url checking by going to http://site.com/foo/../foo/bar instead of entering the normal URL of http://site.com/foo/bar)
As for an example on how to use e.g. jdbcrealm with Tomcat for basic HTTP authentication see here. You create the tables etc. as described there. In your webapp you create the file META-INF/context.xml that might look like this:
<context>
<Realm className="org.apache.catalina.realm.JDBCRealm" debug="99"
driverName="com.mysql.Driver"
connectionURL="jdbc:mysql://localhost/mydb?user=dbuser&password=dbpass"
userTable="users" userNameCol="user_name" userCredCol="user_pass"
userRoleTable="user_roles" roleNameCol="role_name"/>
</context>
In your WEB-INF/web.xml you add something like this:
<security-constraint>
<web-resource-collection>
<web-resource-name>Entire Application</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>USER</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>MyWebapp Login</realm-name>
</login-config>
(This password protects your entire webapp, you could restrict it to e.g. only the URLs of your web service. Authenticated users that has the role USER will be granted access.
Add a user to the database, with something like this SQL
insert into users values('bob','secretpassword');
insert into roles values('bob','USER');
You then place the JDBC driver .jar file in $CATALINA_HOME/lib/ and you're good to go.
A lot of real world web applications are moving towards Single Sign On functionality. What they do is quite similar to what you have described i.e. there will be some kind of agent running on your application that will intercept the requests and check the cookies, session, authentication etc. with some external server that is responsible for maintaining a database of users, permissions, groups, roles etc. Depending on how you have configured it requests will be allowed or disallowed.
The main point here is that you should be able to write your application without bothering too much about cross cutting functionalities like authentication, authorization etc.
You can take look at OpenSSO, OpenSSO wiki, others
加载中,请稍侯......
精彩评论