my dog learned polymorphism*
The moose likes JSP and the fly likes webapp authorization Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of OCA/OCP Java SE 7 Programmer I & II Study Guide this week in the OCPJP forum!
JavaRanch » Java Forums » Java » JSP
Bookmark "webapp authorization" Watch "webapp authorization" New topic
Author

webapp authorization

Larry Jones
Greenhorn

Joined: Jan 23, 2005
Posts: 7
I am making a webapp using struts. I want to prevent direct access to jsp and servlet (.do) files if users have not successfully logged in. If I store the jsession id in the database after a successful login and then check if the jsession id in the session matches the one in the database, is this secure?
Ben Souther
Sheriff

Joined: Dec 11, 2004
Posts: 13410

A lighter solution would be to put an object in the user's session after a successful login. Then use a filter that checks for the existence of that object and forwards the user to the login page if that object is null.

Also SRV 12 in the Servlet Spec provides for container managed, declarative security. Before rolling your own, you might want to familiarize yourself with it.

Here's the documentation for Tomcat:
http://jakarta.apache.org/tomcat/tomcat-5.5-doc/realm-howto.html
[ January 29, 2005: Message edited by: Ben Souther ]

Java API J2EE API Servlet Spec JSP Spec How to ask a question... Simple Servlet Examples jsonf
Larry Jones
Greenhorn

Joined: Jan 23, 2005
Posts: 7
Yes, Ben, I thought about your lighter solution. But what I am worried about, is that people may discover what that object is (if it is static, such as user name), and insert it manually into there browser, thus passing the security constraint of being "not null." Is this a problem? Or am I being paranoid?
Ben Souther
Sheriff

Joined: Dec 11, 2004
Posts: 13410

Any object you bind to your session will exist only on the server. All the browser will ever know is what the JSPSessionID is.
Dan Novik
Ranch Hand

Joined: Jan 26, 2005
Posts: 39
See for example File Access filter in JSOS: http://www.servletsuite.com/servlets.htm

You can prevent the access in the servlets filter
 
It is sorta covered in the JavaRanch Style Guide.
 
subject: webapp authorization