Saturday, July 30, 2011

Declarative Authentication in Java Server Pages

Some programmer prefers authentication through programming to declarative authentication, that all depends upon choice. I also used programed authentication before when I did my Bachelor's projects. I still remember the authentication part was tedious job since we need to write a bunch of code for authentication and the checking of session variable for authenticated user is also not interesting.

So, I was thinking whether there exists some sort of mechanism so that we do not need to do all these redundant things, I mean there should be some server management which will do all those authentication part of user.

I later realized I was not wrong. We can implement the declarative authentication without any much effort; just setting some declaration in server and the application part. This article will focus on how we can achieve these things.

1) Java should be installed. New ubuntu versions have built in java with OS; so we do not need to install it. If it is not installed anyway, just install it by selecting from Synaptic package manager.

2) There should be tomcat server installed.(The preferred tomcat version is tomcat 6 which is also supported by netbeans 6.9)
Installation of Tomcat
i)Download the apache tomcat compressed installer file in .tar.gz form and extracted it.
ii) Copy it to /usr/local location.
iii) Run the command to start the server(you must be inside the tomcat directory)
sudo sh bin/
Now server is running.

3) The mysql server should be installed.
MySql Startup
i)type sudo apt-get install mysql-server in the terminal.
ii) installation may take longer time. while installing, you must create the user for mysql.
iii) after installation is complete, type sudo mysql -u username -p from terminal to run mysql server locally. Provide password for mysql.
iv) Now you are ready to execute the mysql commands.
3) Apart from creating the other several tables for you application, the authentication part need two compulsory tables to be created. You can give any names while creating and this information is placed in the server settings.
Structure of authentication tables:
tableUser: columnUserName, columnUserCred
tableUserRole: columnRoleName

I have used the following sql query to create those tables:
CREATE TABLE customers(name VARCHAR(100), password VARCHAR(100))
CREATE TABLE customer_roles(name VARCHAR(100),role_name VARCHAR(100))

4) Now we manage some settings in the server.xml file which is located in the conf folder of tomcat installation directory.

&lt!-- It is commented out--&gt
&lt!-- &ltRealm className = "org.apache.catalina.realm.UserDatabaseRealm"
&lt!-- Add these lines --&gt
&ltRealm className="org.apache.catalina.realm.JDBCRealm" debug="99"
driverName="com.mysql.jdbc.Driver" connectionURL=
password=00977" userTable= "customers" userNameCol="name"
userCredCol="password" userRoleTable="customer_roles"

5) Now, restart the tomcat server and most of the work is done. The remaining part is to create and define the users with roles. Store those information in the above mentioned tables created for authentication.

6) Now we define the login page and the error page in case authentication fails. We set this information in the web.xml file in the application.


7) Now we select the pages which need right to access the pages. This information is also set inside the web.xml file as follows:


Here the page customer.jsp is arbitrary page which is accessed by users with roles user and manager. Other users do not have right to access this page.

Some Description:
This process is not so easy; I could not do it successfully in one time. I tried it many times until I get success. There are some minor problems may occur which can be fixed by seeing the error. Like there should be one compulsory user with manager role which is responsible for tomcat related settings. If you have not set that user, you even can not start the tomcat server.

Now, when user tries to access the page customer.jsp, then since it access right for specific users only, the you get a form for login the you go into the page. If authentication is okay and the role matches, only the page can be accessed by the user. Otherwise server redirects the user to the error page.

request.getRemoteUser() gets the previously logged in user. So, it can be saved in any servlet for later user such as to get other user related information of that user from the database or to check whether user has logged in or not, if logged in, which user has logged in etc.

No comments:

Post a Comment