i have a small question. I am implementing small web application.it has 4 links under the main menu Lookup, add, update and delete. i am trying to implement the Role based acees here. lookup link can be viewed by any one, but add, delete and updated will be viewd by once particular user role people. even this is also working fine. ( i am checking this from login page, taking the user name and checking is it configured againist the user role, if it yes then displaying the link, if not hiding them)but the main problem is if the type the url to the main menu say (http://localhost:8080/App/mainMenu.jsp)on the brower it is displaying the all the link with out checking the user role. how do we eleminate this ??
You need to check the role on more than just the login page, it should be information available to all parts of the web application. One way is to include the role information in whatever session variable is used to indicate that the user is logged in. That way, simple <c:if> blocks on the page can determine if controls or sections need to be displayed or not based upon roles.
You are also checking roles once an action is submitted to make sure that the user has the authority to execute the operation. Right? Just hiding UI controls is not sufficient security.