wood burning stoves*
The moose likes JSP and the fly likes Security in MVC Pattern Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Java » JSP
Bookmark "Security in MVC Pattern" Watch "Security in MVC Pattern" New topic
Author

Security in MVC Pattern

Sam Furtado
Ranch Hand

Joined: Jul 16, 2002
Posts: 45
Hi Guys !!!
Currently implementing the MVC Pattern using Servlets,JSP & Beans in developing a web site.
Wherein, all links on the site invokes the Servlet Controller and furthur passing parameters as to the action that has to be carry out. For instance, something like this
<a href="ControllerServlet?event=print">Print</a>. This determines that some data needs to be processed in one of the beans and then furthur redirected to view jsp file(display.jsp). However, i would'nt want anyone to directly access this page by typing in "display.jsp" in the browser address bar.
In short a view jsp page should not be displayed when accessing it directly(this could happen if someone knows the names of the internal pages used). At the same time it should be able to be redirected to from within data processing servlets.
How should i go about doing this ???
Pls Suggest.
Thnak You


Sun Certified Java Programmer<br />Sun Certified Web Component Developer
Ken Pelletier
Ranch Hand

Joined: Aug 01, 2002
Posts: 54
Hi,
There are two very typical ways of going about this, and probably others that work equally well.
For the resources you don't want to be accessed externally ( from a browser ), you can:
1) Put them inside of WEB-INF ( best located in a subdirectory there ). This makes them accessible internally (eg: from forward() ), but not externally from a browser.
2) Use a security-constraint and assign no users to the role-name. You can put all the resources you want to 'hide' inside a subdirectory or adjust your url-pattern accordingly. eg: you could use *.jsp to hide all jsp
Example using a subdir for "internal-only" resources:
<security-constraint>
<web-resource-collection>
<web-resource-name>
internal
</web-resource-name>
<url-pattern>/internal/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>internal</role-name>
</auth-constraint>
</security-constraint>
With no users assigned to the role 'internal', only internal access will get through. Access via the forward() family of methods does not go through the security constraint mechanism.
Good luck.
- Ken
Ken Pelletier
Ranch Hand

Joined: Aug 01, 2002
Posts: 54
Hi,
There are two very typical ways of going about this, and probably others that work equally well.
For the resources you don't want to be accessed externally ( from a browser ), you can:
1) Put them inside of WEB-INF ( best located in a subdirectory there ). This makes them accessible internally (eg: from forward() ), but not externally from a browser.
2) Use a security-constraint and assign no users to the role-name. You can put all the resources you want to 'hide' inside a subdirectory or adjust your url-pattern accordingly. eg: you could use *.jsp to hide all jsp
Example using a subdir for "internal-only" resources:
<security-constraint>
<web-resource-collection>
<web-resource-name>
internal
</web-resource-name>
<url-pattern>/internal/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>internal</role-name>
</auth-constraint>
</security-constraint>
With no users assigned to the role 'internal', only internal access will get through. Access via the forward() family of methods does not go through the security constraint mechanism.
Good luck.
- Ken
Sam Furtado
Ranch Hand

Joined: Jul 16, 2002
Posts: 45
Thanks Ken !!!
It came through.
Thank You
Ken Pelletier
Ranch Hand

Joined: Aug 01, 2002
Posts: 54
Odd, but I swear I didn't re-post that one.
Honest, guv.
 
It is sorta covered in the JavaRanch Style Guide.
 
subject: Security in MVC Pattern
 
Similar Threads
JSP to Access 2000 database
Difference between MVC1 and MVC2
Jsp & beans
How to display JSP Page elements sequentially?
MVC (urgent)