Securing Web Application in Tomcat 7 using jdbc realm and j_security_check

Use case : 

a Web Application contains master and transaction modules. Those modules need to be secured using Admin role.

Implementation :

1.  Prepare database table, we can use either table or view. The following script is the minimum requirement, we can use either table and view.
   
   

    CREATE TABLE "USER_MANAGEMENT"  
      (      "ID" NUMBER(5,0) NOT NULL ENABLE,   
            "USER_ID" VARCHAR2(50 BYTE) NOT NULL ENABLE,   
            "USER_NAME" VARCHAR2(100 BYTE) NOT NULL ENABLE,   
            "PASSWORD" VARCHAR2(1000 BYTE) NOT NULL ENABLE,   
            "ROLE_NAME" VARCHAR2(20 BYTE),   
             PRIMARY KEY ("ID")  
      );  
   

   


2. Configure $CATALINA_HOME /conf/server.xml, add the following :
   
   
   

    <Realm className="org.apache.catalina.realm.JDBCRealm" connectionName="ORACLE_SCHEMA" connectionPassword="ORACLE_PASSWORD"  
     connectionURL="jdbc:oracle:thin:@localhost:1521:xe" driverName="oracle.jdbc.driver.OracleDriver"   
     dataSourceName="jdbc/authority" userTable="USER_MANAGEMENT" userNameCol="USER_ID" userCredCol="PASSWORD"  
     roleNameCol="ROLE_NAME" userRoleTable="USER_MANAGEMENT"   
    />  
   

   
   short explanation about the configuration :
   
   • className is the JDBCRealm class. When we use glassfish, it must be different
   • connectionName is oracle schema's name
   • connectionPassword is  oracle schema's password
   • connectionURL is the jdbc oracle thin url that contains ip or machine name, port and SID of Oracle Server.
   • driverName is JDBC Driver
   • dataSourceName is data source name, the name will be used later on.
   • userTable is table or view, this is the database table that we created before (USER_MANAGEMENT). Container will look up to this table for checking user privilege.
   • userNameCol is a column for storing user id in the application.
   • userCredCol is a column for storing password of user id in the application.
   • userRoleTable is a table or view for storing the role of the application. To make this simple we'll use the same table as userTable, in the real world we could use different table or view.
   • roleNameCol is a column on the USER_MANAGEMENT table. This column let container knows the role of user id.
3. Configure web.xml
   • Define security constrain:

      <security-constraint>  
                <web-resource-collection>  
                     <web-resource-name>Master and transaction</web-resource-name>  
                     <url-pattern>/faces/master/*</url-pattern>  
                     <url-pattern>/faces/transaction/*</url-pattern>  
                     <url-pattern>/faces/login.xhtml</url-pattern>  
                      <url-pattern>/faces/index.xhtml</url-pattern>  
                </web-resource-collection>  
                <auth-constraint>  
                     <role-name>admin</role-name>  
                </auth-constraint>            
      </security-constraint>  
     

   • Define security role

      <security-role>  
       <security-role>  
        <description></description>  
        <role-name>admin</role-name>  
      </security-role>  
     

   • login-config

      <login-config>  
                <auth-method>FORM</auth-method>  
                <realm-name>jdbc/authority</realm-name>  
                <form-login-config>  
                     <form-login-page>/faces/login.xhtml</form-login-page>  
                     <form-error-page>/faces/error/LoginError.xhtml</form-error-page>  
                </form-login-config>  
           </login-config>  
     

     
     
4. Put your JDBC driver into Tomcat lib directory : $CATALINA_HOME/lib/
5. Restart tomcat and publish the apps