Basic Authentication in JSP with Example
In this article, I am going to discuss the Basic Authentication in JSP Application with an Example. Please read our previous article where we discussed MVC in JSP Application.
Overview of Security
JSP technology needs security as every webpage created by web developers without security will not be worth it. Security is important so that we can prevent unauthorized users from accessing the data and also, we can prevent web attackers from stealing the data. We can secure the resources by identifying them in the deployment descriptor file (web.xml) and assigning a specific role to them.
Authentication vs Authorization
Authentication is the process of confirming the truth of an attribute of a single piece of data claimed true by an entity, whereas Authorization is the process of specifying access rights/ privileges to resources related to information security.
In Authentication, we used to check a person’s details to identify and verify user’s credentials, whereas in Authorization we used to check user’s privileges to access resources and validates user’s permissions.
Authentication Mechanisms in JSP
Following are the different types of authentication mechanisms:
- HTTP Basic Authentication: In HTTP Basic Authentication, the server always asks for the credentials (username/password) whenever the browser requests any protected resources. And the server sends the resources only if the credentials entered by the users are valid.
- HTTP Digest Authentication: In HTTP Digest Authentication, also the server asks for credentials like HTTP Basic Authentication. But the only difference is that the sent password is in an encrypted format.
- HTTPS Client Authentication: In HTTPS Client Authentication, the authentication is only performed whenever the SSL connection is established between the browser and the server.
- FORM-Based Authentication: In FORM-based Authentication, to get the credentials we are using HTML forms instead of pop-ups to get a better look and feel.
Basic Authentication in JSP
In Basic Authentication the server request a user name and password from the web client and verify that the user name and password by comparing them against a database of authorized users.
First, the client requests access to a protected resource. Then the webserver returns a dialog box that requests the username and password. Then the client submits the username and password to the server. At last, the server authenticates the user, and if successful, it returns the requested resource.
We are using <log-config> tag under <web-app> tag to specify the authentication mechanism. The syntax is as follows:
For the Basic Authentication, we need to add auth-method as “BASIC” as follows:
Advantage of Basic Authentication in JSP
Basic Authentication also works through proxy servers and is more compatible with nearly every Internet Browser.
Disadvantage of Basic Authentication in JSP
It is not a secure authentication mechanism because it sends user names and passwords over the Internet as text that is Base64 encoded, and the target server is not authenticated. The user name and password information can easily be decoded if someone can intercept the transmission.
Role-Based Basic Authentication in JSP
In Role-Based Authentication, we need to create the roles and restrict the users by role. Here the resource can execute only if there is a specific role assigned to it. A single resource can be assigned to multiple roles and one role can be assigned to multiple resources.
In Role-Based Authentication, we need to define different roles and privileges and every user is assigned a role and every role has a collection of permissions and restrictions. A user can access particular objects and execute operations only if their roles in the system have the relevant permission, otherwise not. To implement Role Based Authentication, we can define roles in tomcat-users.xml located in following directory:
C:\Program Files\Apache Software Foundation\Tomcat 9.0\conf\tomcat-users.xml
The tomcat-users.xml file looks like this:
<user username=”tomcat” password=”tomcat” roles=”tomcat”/>
<user username=”both” password=”both” roles=”tomcat,role1″/>
<user username=”role1″ password=”role1″ roles=”role1″/>
<user username=”admin” password=”admin” roles=”admin”/>
In the tomcat-users.xml file, we are simply defining the mapping between username, password, and role. Here, we can even have multiple roles for the given users. After defining different roles, the role-based authentication can now be placed on different web application resources by using the <security-constraint> element in the web.xml file.
Example: Role-Based Basic Authentication in JSP
In this example, we are creating a JSP file (roleBasedSecurity.jsp) and we are trying to access that secured JSP file by configuring the roles in the web.xml file.
<?xml version="1.0" encoding="UTF-8"?> <web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://xmlns.jcp.org/xml/ns/javaee" xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/web-app_4_0.xsd" id="WebApp_ID" version="4.0"> <display-name>JSPDemo</display-name> <welcome-file-list> <welcome-file>roleBasedSecurity.jsp</welcome-file> </welcome-file-list> <security-constraint> <web-resource-collection> <web-resource-name> Private Resource </web-resource-name> <url-pattern>/roleBasedSecurity.jsp</url-pattern> <http-method>GET</http-method> </web-resource-collection> <auth-constraint> <description> </description> <role-name>admin</role-name> </auth-constraint> </security-constraint> <security-role> <role-name>admin</role-name> </security-role> <login-config> <auth-method>BASIC</auth-method> </login-config> </web-app>
<%@ page language="java" contentType="text/html; charset=ISO-8859-1" pageEncoding="ISO-8859-1"%> <!DOCTYPE html> <html> <head> <title> Role Based Security JSP </title> </head> <body> <h4> Role Based Security JSP </h4> </body> </html>
Now run your JSP file, you will get the below pop-up to enter credentials.
Enter your credentials for the “admin” role because we configured it for the admin role. If you will enter invalid credentials, you will not get access to the following web page.
Now you will get access to the secured JSP file and you will get the following output:
Advantages of Role-Based Basic Authentication in JSP
It is one of the most popular approaches to restrict access because the system is bringing users together based on their roles and is no longer needed to authorize and revoke access on an individual basis.
Disadvantages of Role-Based Basic Authentication in JSP
Here, the permissions can be assigned only to user roles but not to objects and operations. So we can’t set up a rule using parameters that are unknown to the system before a user starts working. Also, we can restrict access to certain actions in our system but not to certain data.
In the next article, I am going to discuss Form-Based Authentication in JSP Applications with an Example. Here, in this article, I try to explain Basic Authentication in JSP Applications with an Example and I hope you enjoy this Basic Authentication in JSP article.