aspose file tools*
The moose likes Servlets and the fly likes Web application security... Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Spring in Action this week in the Spring forum!
JavaRanch » Java Forums » Java » Servlets
Bookmark "Web application security..." Watch "Web application security..." New topic
Author

Web application security...

Chris Stewart
Ranch Hand

Joined: Sep 14, 2002
Posts: 184
I'm planning out an admin section for a web site I'm working on, and security is something I have a question about. Typically, I'd set a String to session when a user logs in and check for that variable on every "admin page". This works ok, but the session doesn't always die out until they close the browser window (even after I invalidate their session in a logout script).
Can anybody recommend a better way to handle security of a section of my site?
David O'Meara
Rancher

Joined: Mar 06, 2001
Posts: 13459

I'm not not sure I understand.
What are you requirements?
Chris Stewart
Ranch Hand

Joined: Sep 14, 2002
Posts: 184
The only req as far as security goes is to make sure nobody can access the pages in the admin section (/admin/) unless they have logged in.
David O'Meara
Rancher

Joined: Mar 06, 2001
Posts: 13459

Have a look at the authentication and authorization that should be built into your application server. It is possible to set up a single rule stating "No-one can login to /admin/ unless I know who they are and they are allowed in there"
Letting the server take care of authentication is a lot easier and safer than trying to mane it on a per-page basis.
Dave
Manjunath Subramanian
Ranch Hand

Joined: Jul 18, 2001
Posts: 236
I suggest you use JAAS for setting up the security module in your website.
But, coming to your original question, I still dont understand how the session object was alive on the server even after you called invalidate on it
Chris Stewart
Ranch Hand

Joined: Sep 14, 2002
Posts: 184
Originally posted by Manjunath Subramanian:
But, coming to your original question, I still dont understand how the session object was alive on the server even after you called invalidate on it

I don't either. I implemented the session value way last night and it invalidates just fine. I guess I'll stick with this for now.
Tim Holloway
Saloon Keeper

Joined: Jun 25, 2001
Posts: 16140
    
  21

In the long term, you'll really gain by using JAAS and server security. My webapps have a security rule in web.xml such that URLs with /admin in the path are restricted to users in the administrator role. Thus, the security is enforced by the server and I don't have to maintain code in each and every servlet and JSP.


Customer surveys are for companies who didn't pay proper attention to begin with.
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: Web application security...