Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

How to handle authentication/authorization with users in a database?

Tags:

authentication

database

jsf

jakarta-ee

authorization

Currently, I am working on a web project using JSF 2.0, Tomcat 7 and MongoDB. I have a big question of how to handle the session management and authentication/authorization with users in a database.

The structure I want is as follows: only logged in users can create events and everyone can see the created events.

  • create.xhtml --> only for logged in users.
  • events.xhtml --> public for everyone.

The basic structure I'm planning is:

  • Check if the page requires logged in user (e.g. create.xhtml)
  • If yes, check if user is logged in
  • If user is not logged in, go to login.xhtml
  • If successfully logged in, come back to requested page
  • Keep the "User is logged in" information unless user clicks log out button. (there I guess @SessionScoped gets into play)

The question is:

  1. What is the less complicated way of doing this?
  2. Where should I use the @SessionScoped annotation? In Create.java or LoginManager.java?
  3. Spring security looks kind of complicated for my issue, do I really need it? if yes, can you explain a little bit of how the implementation works together with JSF 2.0 and Mongo DB?
like image 293
whizzkid Avatar asked Apr 01 '12 15:04

whizzkid

People also ask

How can we authenticate a user in database?

Passwords are one of the basic forms of authentication. A user must provide the correct password when establishing a connection to prevent unauthorized use of the database. In this way, users attempting to connect to a database can be authenticated by using information stored in that database.

What is authorization and authentication in DBMS?

Authorization. Authentication verifies who the user is. Authorization determines what resources a user can access. Authentication works through passwords, one-time pins, biometric information, and other information provided or entered by the user.

How does authentication apply to database security?

Database authentication is the process or act of confirming that a user who is attempting to log in to a database is authorized to do so, and is only accorded the rights to perform activities that he or she has been authorized to do.

What is the need of database authentication and authorization?

A fundamental step in securing a database system is validating the identity of the user who is accessing the database (authentication) and controlling what operations they can perform (authorization). A strong authentication and authorization strategy helps protect the users and their data from attackers.

1 Answers

There are several options. Which to choose is fully up to you. Just objectively weigh the concrete advantages and disadvantages conform your own situation.

1. Use Java EE provided container managed authentication

Just declare a <security-constraint> in web.xml which refers a security realm which is configured in servletcontainer. You can for your webapp specify URL pattern(s) which should be checked for login and/or role(s), e.g. /secured/*, /app/*, /private/*, etc.

Before Java EE 8, you unfortunately still need to configure a security realm in a servletcontainer-specific way. It's usually described in servletconainer-specific documentation. In case of Tomcat 8, that's the Realm HOW-TO. For example, a database based realm based on users/roles tables is described in section "JDBCRealm".

Since Java EE 8, there will finally be a standard API based on JSR-375.

Advantages:

  • Relatively quick and easy to setup and use.
  • Since Java EE 8 there's finally a robust and flexible standard API.

Disadvantages:

  • Before Java EE 8, realm configuration is container-specific. In Java EE 8, the new JSR-375 Security Spec should solve that with help of JASPIC.
  • Before Java EE 8, , there is no fine grained control.
  • Before Java EE 8, it's very spartan; no "remember me", poor error handling, no permission based restriction.

See also:

  • Performing user authentication in Java EE / JSF using j_security_check - contains complete code examples
  • Java EE kickoff application - example web application (developed by me) which also demonstrates Java EE 8 authentication with Soteria (the JSR-375 RI).

2. Homegrow a servlet filter

This allows for much more fine grained control, but you're going to need to write all the code yourself and you should really know/understand how you should implement such a filter to avoid potential security holes. In JSF side, you could for example just put the logged-in user as a session attribute by sessionMap.put("user", user) and check in the filter if session.getAttribute("user") is not null.

Advantages:

  • Fine grained control.
  • Completely container independent.

Disadvantages:

  • Reinvention of the wheel; new features require a lot of code.
  • As starter, you're never sure if your code is 100% robust.

See also:

  • Is there any easy way to preprocess and redirect GET requests? - contains introducory explanation and kickoff example for authentication
  • Authorization redirect on session expiration does not work on submitting a JSF form, page stays the same - contains more extended kickoff example for authentication which also covers ajax requests
  • How control access and rights in JSF? - contains kickoff example for authorization

3. Adapt a 3rd party framework

For example, Apache Shiro, Spring Security, etc. This offers usually much more fine grained configuration options than standard container managed authentication and you don't need to write any code for this yourself, expect of the login page and some (XML) configuration of course.

Advantages:

  • Fine grained control.
  • Completely container independent.
  • No reinvention of the wheel; minimum of own code.
  • Thoroughly developed and tested by lot of users, so most likely 100% robust.

Disadvantages:

  • Some learning curve.

See also:

  • JSF2 - Shiro tutorial - an extensive tutorial on integrating Shiro in JSF2 webapp
like image 132
BalusC Avatar answered Sep 24 '22 14:09

BalusC
Sign in to Comment

Related questions

How to copy a sqlite table from a disk database to a memory database in python? [duplicate]
Table vs View vs Materialized View
What length can a network interface name have?
How to insert DECIMAL into MySQL database
What is the correct way of QSqlDatabase & QSqlQuery?
Can PHP work with a MS SQL database
SQL full text search vs "LIKE"
Can a table field contain a hyphen?
A database schema vs a database tablespace?
Does Django Atomic Transaction lock the database?
multiple databases and multiple models in django
Unique (multiple columns) and null in one column
Which database out of CouchDB, MongoDB and Redis is good for starting out with Node.js?
Best practices for working with multiple tables
How to map two JPA or Hibernate entities on the same database table
Selecting distinct 2 columns combination in mysql
How to use String property as primary key in Entity Framework
Database query time complexity
Do conditional INSERT with SQL?
How to save a particular, mutable "order" into a database

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!