i have an application where in i have various set of users.
I have the design where i want particular user to access particular set of modules(pages).
Say if i have link of countries like India,China, USA, South Africa or Nepal on my home page ...then if a user has a privilege of 2 countries say USA and INDIA ....he can access links of only those countries.
i am storing these contry privileges for an user in a userBean. and displaying links for only those countries for which he is having the privilege. Say if user has access to USA and INDIA he will be shown only 2 links on home page.
Now all these links appears on home page....after successfull login. after succcessful login..all the privileges (for all the countries) are fetched from database and put into userBean object.
but the problem is after successful login (say of privilege USA and INDIA) if an user types
then still the user is able to open the China page..although he doesnot have acccess for China page.
How to tacle this problem.
also what is the standard way to give access to user in an application .....so that these issues i mentioned above does not arise.
I am using simple JSp and servlet. No framework is being used in my application.
Check against the granted privileges: never trust any data provided by the user.
Mark E Hansen
Joined: Apr 01, 2009
You use Role-based authentication. For example, using Java Authentication and Authorization Service (JAAS). You can google that for some information and tutorials, etc.
You then assign specific roles to users. In your case, you would say that "user1" participates in roles "USA" and "INDIA". You then can say that only users who participate in the "USA" role are allowed to access the USA-based resources.
How you configure the security domain depends on the application server you're using. I'm running on JBoss 5.1.0.GA, and was helped a great deal by the book JBoss in Action from Manning Publications. It showed everything I needed to do to get my user to log in, and how to lock-down various resources based on the roles assigned to the user.
Joined: Mar 26, 2009
Thanks for your responses.
i will try both options ..let's see which one suits mee. thanks.