Win a copy of Mesos in Action this week in the Cloud/Virtualizaton forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

webapp authorization

 
Larry Jones
Greenhorn
Posts: 7
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I am making a webapp using struts. I want to prevent direct access to jsp and servlet (.do) files if users have not successfully logged in. If I store the jsession id in the database after a successful login and then check if the jsession id in the session matches the one in the database, is this secure?
 
Ben Souther
Sheriff
Posts: 13411
Firefox Browser Redhat VI Editor
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
A lighter solution would be to put an object in the user's session after a successful login. Then use a filter that checks for the existence of that object and forwards the user to the login page if that object is null.

Also SRV 12 in the Servlet Spec provides for container managed, declarative security. Before rolling your own, you might want to familiarize yourself with it.

Here's the documentation for Tomcat:
http://jakarta.apache.org/tomcat/tomcat-5.5-doc/realm-howto.html
[ January 29, 2005: Message edited by: Ben Souther ]
 
Larry Jones
Greenhorn
Posts: 7
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Yes, Ben, I thought about your lighter solution. But what I am worried about, is that people may discover what that object is (if it is static, such as user name), and insert it manually into there browser, thus passing the security constraint of being "not null." Is this a problem? Or am I being paranoid?
 
Ben Souther
Sheriff
Posts: 13411
Firefox Browser Redhat VI Editor
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Any object you bind to your session will exist only on the server. All the browser will ever know is what the JSPSessionID is.
 
Dan Novik
Ranch Hand
Posts: 39
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
See for example File Access filter in JSOS: http://www.servletsuite.com/servlets.htm

You can prevent the access in the servlets filter
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic