How to restrict the direct url access in the unauthorized user's session? It's working fine with the new browser without login into the application. But when the low level user logins into the application, he can able to access the unauthorized screens by providing the direct link in the browser. Can anybody help me to solve this issue?
A URL is a URL. All you can do is restrict URLs according to your security system. I often have apps that have a free-access welcome page, user-restricted functionality pages and another groups of URLs that are accessible only by administrators.
I recommend container-managed authorization, because that way you don't have to code URL security into your app - just set up the roles and rules in web.xml.
Customer surveys are for companies who didn't pay proper attention to begin with.
You could create a custom JSP tag that executes authorization before processing the rest of the page. For all pages that require authorization, place this custom tag in the source code for the JSP page.
When a user attemps to view the page, if he/she is not authorized, then they cannot view the page.