This week's book giveaway is in the OO, Patterns, UML and Refactoring forum. We're giving away four copies of Refactoring for Software Design Smells: Managing Technical Debt and have Girish Suryanarayana, Ganesh Samarthyam & Tushar Sharma on-line! See this thread for details.
I am making a webapp using struts. I want to prevent direct access to jsp and servlet (.do) files if users have not successfully logged in. If I store the jsession id in the database after a successful login and then check if the jsession id in the session matches the one in the database, is this secure?
A lighter solution would be to put an object in the user's session after a successful login. Then use a filter that checks for the existence of that object and forwards the user to the login page if that object is null.
Also SRV 12 in the Servlet Spec provides for container managed, declarative security. Before rolling your own, you might want to familiarize yourself with it.
Yes, Ben, I thought about your lighter solution. But what I am worried about, is that people may discover what that object is (if it is static, such as user name), and insert it manually into there browser, thus passing the security constraint of being "not null." Is this a problem? Or am I being paranoid?