Solved

how to check user Authencation from Database

Posted on 2004-08-27
12
256 Views
Last Modified: 2010-05-18
HI,

I need a help from experts, I'm using Tomcat 5.0: I have login page, upon submit it should display inner pages depending upon the autheticating status. While Adding Users I have this option if he/she can be "Read Only" or "Admin".

Read Only can only view inner pages, where as Admin can view inner pages and change certain part of inner pages if wanted to.

So please send me the steps to follow on this:
1. Upon submit of login page, how to identify its valide user ? (CHECKING FROM DATABASE)
2. Upon verfication of valide user, how to restrict "Read Only" user to view only but not able to change values on any pages.

NOTE:  I dont wanna check User/Password which is stored in the Tomcat XML, but rather I wanna check using Database query. Bcoz my application will be used by various clients and they can add user/pass with role as "Admin" or "Read Only" which all gets stored in the Database.

Regards,
Hyx
0
Comment
Question by:princehyderabad
  • 4
  • 2
  • 2
  • +1
12 Comments
 
LVL 13

Expert Comment

by:Murali Murugesan
ID: 11920582
U can do the following steps,

Once u get the username & password have them in the session attributes.

While loading the login page write to query to select all usernm,pwd & their permissions inside a global arrayList.

In each page thereafter check ur session attribute value across the array list to identify the permission.
HAve the permission loaded in a global variable like R-for read only and A-for Admin.

Using this value u can show the controls correspondingly.for eg: testbox or label..

if(per='A')
<input type=text .......>
else
<label ...>

This will sove ur problem i hope.

-Murali*
0
 
LVL 3

Expert Comment

by:Gunt
ID: 11921416
I would use the standard container security.
Tomcat supports use of a JDBC realm, so it doesn't check from the XML, but from a database.

Then, to programatically check the username/role, you can use the request methods getRemoteUser(), isUserInRole(String), etc.

To see how to set up Tomcat for this kind of authentication, see this link:
http://www.linux-sxs.org/internet_serving/c619.html

Good luck
0
 
LVL 6

Expert Comment

by:CodingExperts
ID: 11924311
One can use Tomcat to support container managed security, by connecting to an existing "database" of usernames, passwords, and user roles. You only need to care about this if you are using a web application that includes one or more <security-constraint> elements, and a <login-config> element defining how users are required to authenticate themselves.Tomcat 4 onwards defines a Java interface (org.apache.catalina.Realm) that can be implemented by "plug in" components to establish a JDBC connection.

Read More on this:
http://jakarta.apache.org/tomcat/tomcat-4.0-doc/realm-howto.html#JNDIRealm
0
 
LVL 6

Expert Comment

by:CodingExperts
ID: 11924500
0
 

Author Comment

by:princehyderabad
ID: 11933306
thx Guys, But with my application keep in mind the software we using, I think the best idea would be to go with Murali's steps.

Murali, can you please write in deatails along with a simple sample example for session setting attribute and checking from the DB etc., And I can take care from Displaying part....

Regards,
Hyd
0
Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

 
LVL 3

Expert Comment

by:Gunt
ID: 11936875
As a side comment, I would put the logic from Murali's solution in the Tag, and not in the JSP.
If you go with the if in a scriptlet, you will have to make that check in EVERY JSP. Writing a page will be pretty painful.

Instead, you can write a custom JSP tag (or extend the ones you use), to check the security, and write an input box or a label (or whatever), depending upon user permissions.
That way, you program it once, and changes are centraliced.

http://www.javaworld.com/javaworld/jw-08-2000/jw-0811-jsptags.html
That's an interesting link on tag library development.
0
 
LVL 13

Expert Comment

by:Murali Murugesan
ID: 11939479
U do like this...I'll give u a raw example..

get the usrnm & pwd.

write a query in the login page like this...
select user_permission from authentication where
usrname like ? and pwd like ?.

So for this question maks [?] pass the variable values "usrnm" and "pwd".The result user_permission u load it to a session variable.say " permission".

Say the query might return either R-read only and A-Admin.
So load it into permission variable.

From the next page from login,u r first check shld be for the permission variable not equal to null,

if null throw message not a valid user..
Then chk whether permission has R or A and code like following

<%if(request.getParameter("permission").toString.equals("A")){%>
<input type=text.....>
<%}else{%>
<something for display only>
<%}%>

Similar way of coding in all pages would solve ur problem..This would be the easiest method i hope...

Hope i have done the maximum home work for u...

-Murali*
0
 

Author Comment

by:princehyderabad
ID: 11948171
Thx Murali,

I got your point and idea, but today I was told by manager to use "realms" as its easy to use and just it need a configuration thats it. What do you think ?
I'm in process of setting up realms in server.xml and then will try .....if any easy steps rather then the links above send by other plz let me know.

Once I go thru this U'll receive your point, a waada !!

Regards,
Hyd
0
 
LVL 13

Expert Comment

by:Murali Murugesan
ID: 11950966
Yes,
U can go thro realms too..the same thing which i explained u is given in a sophisticated way thats it..
There are different kinds of realms with tomcat.

-Murali*
0
 
LVL 13

Accepted Solution

by:
Murali Murugesan earned 200 total points
ID: 11951236
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Exception creating bean of class 5 166
report generation frameworks 1 60
squirrelPlay java challenge 40 157
lessBy10  challenge 15 92
Fine Tune your automatic Updates for Ubuntu / Debian
In 2017, ransomware will become so virulent and widespread that if you aren’t a victim yourself, you will know someone who is.
This is used to tweak the memory usage for your computer, it is used for servers more so than workstations but just be careful editing registry settings as it may cause irreversible results. I hold no responsibility for anything you do to the regist…
Internet Business Fax to Email Made Easy - With  eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, f…

911 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now