Java Web Application Security – Part One, Basic Authentication

One topic that we didn’t cover in the Java Web Development course was how to secure your application.  In this post, I’ll show that every Java webserver comes with a basic security model that will address many project’s requirements.

I’ll assume that you’re already familiar with Java Web development, and are able to build and deploy to a server such as Apache Tomcat.

Let’s start with a regular webapp. Any Java web application will do. I’m using the application we build on the Java Web Development course.

At the moment, all users can access every page in the application. The aim is for the page “add-new-book.jsp” to be accessible to logged-in administrators only.

Step 1: Switch security “on”

The first step is to declare in the web.xml file that we want to use security in our application. We’re going to start with the simplest form of web security, BASIC authentication. You’ll be familiar with this even if you don’t realise it – this is where the browser pops up a simple username and password box.

<login-config>
   <auth-method>BASIC</auth-method>
   <realm-name>Please log in</realm-name>
</login-config>

“realm-name” is just a string that will appear in the login dialog box.

This config tells Tomcat to instruct your browser to pop up a username/password challenge if a secured resource is accessed.

Step 2: Declare Your Secure Resources

A secured resource is just a URL, and we declare a URL to be secure with the following addition to web.xml:

<security-constraint>
 <web-resource-collection>
  <web-resource-name>Admin Pages</web-resource-name>
  <url-pattern>/add-new-book.jsp</url-pattern>
 </web-resource-collection>

 <auth-constraint>
  <role-name>admin</role-name>
 </auth-constraint>
</security-constraint> 
It’s rather verbose XML (as usual with web.xml), but it is fairly straightforward. The URL ending with “add-new-book.jsp” will require the user is logged into the role of “admin”.

Now we’ve added this protection, let’s deploy the app and try to add a new book.

As we haven’t set up a valid administrator, whatever we enter here will result in failure. This is reported as a HTTP error status 401, and by default we see the following page:

Step 3: Authentication

So we’ve locked down part of our app – but how can we open it up to the administrators?

Authentication is the mechanism a web site uses to determine who the user is and to which role they belong. unfortunately, authentication is not part of the Java web specification, so different servers implement authentication in different ways. I’ll describe how authentication is done in Tomcat – for other servers such as Resin or Jetty, you’ll need to check their reference manuals.

The easiest way to set up users and roles in tomcat is to edit the file in {tomcat_home}/conf/tomcat-users.xml. I’ve edited the contents of the file to look like this:

&lt;tomcat-users&gt;
   &lt;role rolename="admin"/&gt;

   &lt;user username="rich"
         password="TooCoolForSchool" 
         roles="admin"/&gt;
&lt;/tomcat-users&gt;

So the server will recognise a user called “rich” as being a member of the “admin” role.

After making the edit, we then need to restart Tomcat. We can now visit the page add-new-book.jsp – as long as we enter the username and password above. Notice that it isn’t necessary to implement a separate login page or to have to go to a login page first – when we try to visit the protected resource, the process is handled automatically by Tomcat.

You may be horrified that we have hardcoded a user into a file on the server. Of course, in a real application we would want a more sophisticated authentication strategy such as a database lookup. In part three of the series I’ll show you how to do that on Tomcat. But changing the strategy is just a configuration change, so using this hardcoded file of usernames and passwords is perfect for your development environment. You can always switch to something more robust once you go live.

The next problem is that the login dialog box is not very professional looking. Basic authentication is just that – basic. In part two of this series, I’ll be showing you how to add Form Based Authentication to your web app.