aspose file tools*
The moose likes Servlets and the fly likes Web application security... Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Spring in Action this week in the Spring forum!
JavaRanch » Java Forums » Java » Servlets
Bookmark "Web application security..." Watch "Web application security..." New topic
Author

Web application security...

Chris Stewart
Ranch Hand

Joined: Sep 14, 2002
Posts: 184
I'm planning out an admin section for a web site I'm working on, and security is something I have a question about. Typically, I'd set a String to session when a user logs in and check for that variable on every "admin page". This works ok, but the session doesn't always die out until they close the browser window (even after I invalidate their session in a logout script).
Can anybody recommend a better way to handle security of a section of my site?
David O'Meara
Rancher

Joined: Mar 06, 2001
Posts: 13459

I'm not not sure I understand.
What are you requirements?
Chris Stewart
Ranch Hand

Joined: Sep 14, 2002
Posts: 184
The only req as far as security goes is to make sure nobody can access the pages in the admin section (/admin/) unless they have logged in.
David O'Meara
Rancher

Joined: Mar 06, 2001
Posts: 13459

Have a look at the authentication and authorization that should be built into your application server. It is possible to set up a single rule stating "No-one can login to /admin/ unless I know who they are and they are allowed in there"
Letting the server take care of authentication is a lot easier and safer than trying to mane it on a per-page basis.
Dave
Manjunath Subramanian
Ranch Hand

Joined: Jul 18, 2001
Posts: 236
I suggest you use JAAS for setting up the security module in your website.
But, coming to your original question, I still dont understand how the session object was alive on the server even after you called invalidate on it
Chris Stewart
Ranch Hand

Joined: Sep 14, 2002
Posts: 184
Originally posted by Manjunath Subramanian:
But, coming to your original question, I still dont understand how the session object was alive on the server even after you called invalidate on it

I don't either. I implemented the session value way last night and it invalidates just fine. I guess I'll stick with this for now.
Tim Holloway
Saloon Keeper

Joined: Jun 25, 2001
Posts: 16145
    
  21

In the long term, you'll really gain by using JAAS and server security. My webapps have a security rule in web.xml such that URLs with /admin in the path are restricted to users in the administrator role. Thus, the security is enforced by the server and I don't have to maintain code in each and every servlet and JSP.


Customer surveys are for companies who didn't pay proper attention to begin with.
 
Don't get me started about those stupid light bulbs.
 
subject: Web application security...