limiting who can login by role with j2ee form based authentication

1
votes

I'm using declarative J2EE form based authentication in my webapp, following the instructions given in various places such as here: http://java.dzone.com/articles/understanding-web-security

It appears that the login via j_security_check allows all users within the realm to authenticate (log in), but doesn't check their roles. The authorization check seems only to be performed when the user accesses a page with a security constraint.

So in my app, a user is able to successfully log in because they're in the realm, but then when they access a secure page they're getting an ugly "Error 403: AuthorizationFailed" message.

Is there a way to limit authentication to users having a particular role? Or am I required to ensure that the user realm only contains users with the required role.

In terms of code, I have this declaration in my web.xml:

<login-config>
    <auth-method>FORM</auth-method>
    <realm-name>Simple</realm-name>
    <form-login-config>
        <form-login-page>/login.jsp</form-login-page>
        <form-error-page>/loginerror.jsp</form-error-page>
    </form-login-config>
</login-config>

But it doesn't say anything about required roles, so any user navigating to login.jsp can login successfully if they're in the ream.

Then, when the user accesses any of the pages matched by the url-pattern here:

<security-constraint>
    <display-name>Authorised</display-name>
    <web-resource-collection>
        <web-resource-name>Authenticated and Authorised Resources</web-resource-name>
        <url-pattern>/secure/*</url-pattern>
        <http-method>PUT</http-method>
        <http-method>GET</http-method>
        <http-method>POST</http-method>
    </web-resource-collection>
    <auth-constraint>
        <role-name>simpleWebAppUser</role-name>
    </auth-constraint>
    <user-data-constraint>
        <transport-guarantee>INTEGRAL</transport-guarantee>
    </user-data-constraint>
</security-constraint>

That's when the roles are checked.

Role "simpleWebAppUser" is application wide, and I want to check that the user has this role before letting the log-in succeed.

I'm using WebSphere 7.0, configured to use the O/S user repository, on Windows XP/2000/2003.

2
javajakarta-eesecuritywebsphere-7

2 Answers

2
votes

Is there a way to limit authentication to users having a particular role?

No. Authentication is the process of establishing identity, and not the process of enforcing access control checks. That's how JAAS (and hence, the Java Servlet Specification) treats this topic; most other systems would also implement authentication in the similar manner.

If you could modify the application to display the "secure page", only if the user is in a particular role (the Servlet API allows for this via the isUserInRole method of the HttpServletRequest), then you would save yourself some heartburn (while implementing the advice listed below).

Or am I required to ensure that the user realm only contains users with the required role.

You could do that, if it is possible. However, you might also get around this problem, by writing your own JAAS LoginModule that successfully authenticates a user only when the user is also mapped to the required role (that your application code recognizes). You'll also have to configure the application server and the web-application to use this login module.

2
votes

For anyone who finds it helpful, I figured out an alternative solution based on a description here: http://software-security.sans.org/blog/2010/08/11/security-misconfigurations-java-webxml-files/

If I add the following to web.xml:

<error-page>
    <error-code>403</error-code>
    <location>/authorizationerror.jsp</location>
</error-page>

then every time a secured page is accessed by a user with the wrong role they are shown a page explaining that they don't have sufficient rights to access the page.

If the only non-secured page in an application is the login page, then they'll see that page immediately after logging in.