Basic authentication and form authentication in web applications
Translated by caiyi0903 (Willpower), 2004.4.23
In any web application development, regardless of large medium and small, each developer encounters some problems that need to protect program data, involving the user's login ID and Password. So how do you perform a verification method better? In fact, there are many ways to implement. In this article, we will not take all the verification methods, our purpose is to let you learn how to do it in the simplest and most convenient verification methods. The basic (BASIC) and form-based-based-based-based-based-based "are discussed below. We consider using Tomcat as Web Server, which provides basic and form-based authentication via server.xml and web.xml files. The J_Security_Check Form (for form-based) in the JSP page requires two parameters: j_username and j_password. They specify the login role in the SQL database. You can see that its elasticization, availability and necessity.
The first step, we have to download Tomcat and MySQL, the former used to do web server, the latter used to do SQL Server. Also download the JDBCREALM tool, it is used in Tomcat, used to make a MySQL connector, connect the MySQL database.
We assume that you have installed Tomcat and MySQL, then we started from Server's configuration. Of course, you also need to install Java's MySQL connection driver, I strongly recommend using a stable driver version, because in some cases, the ALPHA / BETA version of the drive cannot work properly.
Let's take a SQL database. Honestly, MySQL and Tomcat are quite a good tool, they are cross-platform, whether your operating system is Windows or Unix / Linux, they can run. Therefore, regardless of the operating environment, their configuration processes are absolutely the same.
Mysql
Execute the mysql client command in the command line, then enter:
Create Database Weblogin;
This will create a WebLogin database for you, which will save all usernames and passwords and roles. Any changes you do for the database will be immediately reflected. For example, add users, changing user passwords and roles.
Create Table Users
Login Varchar (15) Not Null,
Pass varchar (15) Not null,
PRIMARY Key (Login)
);
We create a UserS table to save the user's login and password:
Create Tables Groups
Login Varchar (15) Not Null,
Group varchar (15) Not null,
Primary Key (Login, GROUP)
);
As you can see, we want to save the login information on which group is in the group form. Below, we have to plug in some data to test use, and complete the Mysql configuration work:
INSERT INTO USERS ('Green'); Insert Into Groups ('Green', 'TestGroup');
Now, we created a user called Green, his password is TestPWD, he belongs to the user group of TestGroup. Then, the rotation of Tomcat is configured.
Tomcattomcat itself does not have a capacity to operate the database to implement authentication. However, you can rely on JDBCREALM. Let's use it.
Below we start our configuration from Tomcat's /conf/server.xml file. Open this file and find the following:
Delete this line, or use to get off it, we want to use JDBCREALM. So enter the following:
Drivername = "org.gjt.mm.mysql.driver" ConnectionURL = "JDBC: mysql: // localhost / weblogin? user = test & password = TEST" UserTable = "Users" usernamecol = "login" usercredcol = "pass" Userroletable = "groups" ROLENAMECOL = "group" /> Below we make detailed explanation of the Field parameters: Debug - This is the debug parameter we set, the higher the number, the more detail the information. Drivername - this is the name of MySQL driver. To make sure this driver's JAR package can find it in Tomcat's ClassPath. ConnectionURL - This is a database URL used to establish a JDBC connection. In this field, WebLogin is the name of our database. User and Password are user data we have logged in the database. UserTable - a table that defines the usernamecol and usercredcol fields. UserNamecol and the Login and Pass defined in the UsercredCol-Users table. Now, we have completed the configuration process. Below, we have to configure a web application to be protected by such an authentication method. We have to give two examples. The simplest is the basic authentication method, and then the form is based on the form of authentication. In the first case, we try to access protected data, will have a POP-UP pop-up prompt you enter your login and password. In the second case, we will pass the page's way to let you verify. The content of this page can be arbitrary, depending on how the verification method you want to use. Basic Authorization Method We assume that the application is in Tomcat / WebApps / WebDemo, we have to protect all files in the admin subdirectory. We must open its /webapps/webdemo/web-inf/web.xml file, enter the following: Web-Resource-Collection> auth-constraint> security-connectiont> login-config> Let's take a look at the content just entered. We created a web-resource-name for the application and map to Login-Config. We also define URL-Pattern, which indicates the path you are protected. In Login-Conf, we define a Basic Auth-method. Very simple, right? Don't forget, stop and restart Tomcat before making changes to take effect. Form-based Authorization Method For this way, we only need: Modify /Webapps/webdemo/web-inf/web.xml Create a login JSP page, the user will enter his login ID and password in the HTML form here, create a JSP ERROR page, once the verification fails, the user will jump to This page If you try to use a Basic authentication method, you only need to change Login-Config as the following code. Otherwise, you need to enter the Security-Constraint code segment. Use the Login-Config: form-login-config> login-config> We set the AUTH-METHOD of the form and define form-login-config. This will make Tomcat to use the /admin/login.jsp page to let the user login, use the /admin/error.jsp page to process the login failure. You can use any error message you want. The only thing you need is the following HTML form label, you have to insert it in the page: ...
form>
...
Layout, style, or all of all you like. This Error page can make anything you want. Nothing is to notify the user, the verification failed.
OK, all completed. You need to stop and restart Tomcat to make changes to this.
© Olexiy Prokhorenko, http://www.7dots.com/resume/co-author: Alexander Prohorenko