I found securing web application, using Netbeans, inconvenient and little tricky. That's because of lack of documentation. There's no simple and accessible "official" document or tutorial that describes and explains the issue. So it sometimes takes a time and brings some frustrations to somebody trying to do this. There is a lot of parameters and lack of diagnostic and communication to find out what's going on. So if you make a mistake it's hard to find out, what you did wrong. And what's more NetBeans 7.0.1. works sometimes in this area in some misleading way. So it can be a tough experience. This is a few words, what I found out.
2. How it works.
2.1. Glassfish checks for restricted areas.
When Glassfish gets a request to the resources (web pages/addresses) it checks if that resource/url/address belongs to any restricted areas that are assigned to the request. These areas are defined in web.xml configuration file. They are defined as a part of decription of Security Constraints.
2.2. Glassfish demands user and password data.
If requested resource has been defined in Security Constraints, glassfish demands from you: user and password. If you determine in web.xml>security>Login Configuration "Basic", the web browser displays it's own form requesting user and password data. If you choose "Form" instead of "Basic" than you have to deliver it. Form in web browser shows you dispatch with the name of "security realm" which you determine in "Realm name" field.
But if you do not have such a security realm on your "server side" you will not be informed that the name of the realm is wrong. You provide user name and password and it leeds you to an error. So glassfish do not check and inform you if Realm name you provide in web.xml responds to any realm name that you create in glassfish administration console.
2.3. Glassfish check user name and password if they are correct.
Server looks for a realm whish name corresponds to Realm name you have given in web.xml, then starts to check if user name and password are correct. The proces of authentication depends on type of Realm. Type of Realm is determined by it's Class Name.
2.3.a. Glassfish checks for user name and password in your database tables.
If you have a Realm with Class Name: com.sun.enterprise.security.auth.realm.jdbc.JDBCRealm, then server issues to the database you privide in JNDI parameter (as a name of JDBC resource) two statemens:
The password query, with the user Id being the parameter that is passed from the DigestLoginModule:
SELECT <passwordColumn> FROM <userTable> WHERE <userNameColumn> = ?
The group query, with the user Id being passed as the parameter:
SELECT <groupNameColumn> FROM <groupTable> WHERE <groupTableUserNameColumn> = ?;
(from page*)
Names for <userTable>, <passwordColumn>, <userNameColumn>, <groupTable>, <groupNameColumn> you provide as a attributes of JdbcRealm you create. <groupTableUserNameColumn> is equal to <userNameColumn>.SELECT <passwordColumn> FROM <userTable> WHERE <userNameColumn> = ?
The group query, with the user Id being passed as the parameter:
SELECT <groupNameColumn> FROM <groupTable> WHERE <groupTableUserNameColumn> = ?;
(from page*)
If issued statements bring no errors server checks if username and password obtained from database respond to values you have entered into from fields. If they match process goes further.
2.4. Glassfish checks if required resources are allowed to authenticated user.
Server checks if any roles are assigned to given user or group. These informations are stored in glassfish-web.xml. If any roles are assign to athenticated user or group, than server checks if required resource is containd in restraints assigned to role in web.xml, if yes - user get the resource.
Resources:
Docs from Oracle.
Oracle: http://docs.oracle.com/cd/E19798-01/821-1841/bncbx/index.html
http://blog.gamatam.com/2009/11/jdbc-realm-setup-with-glassfish-v3.html
http://stackoverflow.com/questions/6809081/glassfish-jdbc-realm-group-membership
http://vizzdoom.net/2011/10/glassfish-uwierzytelnianie-zarzadzane-przez-kontener-aplikacji/
http://jugojava.blogspot.com/2011/02/jdbc-security-realm-with-glassfish-and.html
http://www.hildeberto.com/2010/05/yasmim-security-part-1-user.html
http://stackoverflow.com/questions/2206911/best-way-for-user-authentication-on-javaee-6-using-jsf-2-0
http://vizzdoom.net/2011/10/glassfish-uwierzytelnianie-zarzadzane-przez-kontener-aplikacji/
Brak komentarzy:
Prześlij komentarz