NetBeans Forums

 FAQFAQ   SearchSearch   MemberlistMemberlist   RegisterRegister   ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 
  

Secure Web Service and Tomcat JDBC Realm

 
Post new topic   Reply to topic    NetBeans Forums -> Java EE Users
View previous topic :: View next topic  
Author Message
agolia



Joined: 17 Apr 2012
Posts: 2
PostPosted: Tue Apr 17, 2012 9:29 pm    Post subject: Secure Web Service and Tomcat JDBC Realm Reply with quote
Can anyone reccomend a tutorial on configuring a secure web service running on Tomcat 7 which is configured to authenticate users against a MySQL database?

I deployed my web service on Tomcat which is configured as I mentioned above however when I attempt to access the service with a .NET client I recieve the following error...

Authentication of Username Password Token Failed

Not sure what I am missing, do I need to hash the password before passing it to the service (SHA1)?
Back to top
duncant



Joined: 25 Jan 2012
Posts: 9
PostPosted: Wed Apr 18, 2012 3:00 pm    Post subject: Reply with quote
Depends very much on exactly what you are doing.

When you say "a secure web service" that could mean different things. The most likely scenario is that you are passing HTML forms-based username/password credentials to your server over an SSL/TLS connection with HTTPS. And when you say you are authenticating users against a MySQL database I'm guessing that means you have usernames and passwords stored in the database. Is that it?

As a general principle, passwords should not be stored in a database in cleartext form. So MySQL database may well be designed to store a hash of the password, not the actual password. If that's the case, then yes, you should hash the password before sending it. That can be done in the client or in the server. But it's possible to implement this in many different ways. You need to check how your application is designed and implemented on the server side, and then make sure your client is consistent.

If you google "dot net forms authentication" you'll find a microsoft tutorial here:
http://support.microsoft.com/kb/301240

Looking at that code, you'll see they give an example which stores the passwords in the database in the clear. Then way down at the end they show how that can be changed to store a hash of the password. So, it can be done either way. Take a quick look at the contents of your databases - you should be able to quickly tell if you are looking at hashes or at actual passwords.

By the way, the microsoft example code looks to me to be vulnerable to SQL injection attacks - I'd be careful about using that code in a production environment.

Hope that helps!
Back to top
Display posts from previous:   
Post new topic   Reply to topic    NetBeans Forums -> Java EE Users All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB
By use of this website, you agree to the NetBeans Policies and Terms of Use. © 2012, Oracle Corporation and/or its affiliates. Sponsored by Oracle logo