Two Laptop Bag*
The moose likes Servlets and the fly likes Implementing the User access in an application Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of EJB 3 in Action this week in the EJB and other Java EE Technologies forum!
JavaRanch » Java Forums » Java » Servlets
Bookmark "Implementing the User access in an application" Watch "Implementing the User access in an application" New topic
Author

Implementing the User access in an application

rammie singh
Ranch Hand

Joined: Mar 26, 2009
Posts: 116
Hi everybody...

i have an application where in i have various set of users.
I have the design where i want particular user to access particular set of modules(pages).


Say if i have link of countries like India,China, USA, South Africa or Nepal on my home page ...then if a user has a privilege of 2 countries say USA and INDIA ....he can access links of only those countries.

i am storing these contry privileges for an user in a userBean. and displaying links for only those countries for which he is having the privilege. Say if user has access to USA and INDIA he will be shown only 2 links on home page.

Now all these links appears on home page....after successfull login. after succcessful login..all the privileges (for all the countries) are fetched from database and put into userBean object.

but the problem is after successful login (say of privilege USA and INDIA) if an user types

http://localhost:8080/Product/RequestHandler?PARAM=CHINA&actionSource=2

then still the user is able to open the China page..although he doesnot have acccess for China page.


How to tacle this problem.
also what is the standard way to give access to user in an application .....so that these issues i mentioned above does not arise.
I am using simple JSp and servlet. No framework is being used in my application.
Thanks
David Newton
Author
Rancher

Joined: Sep 29, 2008
Posts: 12617

Check against the granted privileges: never trust any data provided by the user.
Mark E Hansen
Ranch Hand

Joined: Apr 01, 2009
Posts: 642
You use Role-based authentication. For example, using Java Authentication and Authorization Service (JAAS). You can google that for some information and tutorials, etc.

You then assign specific roles to users. In your case, you would say that "user1" participates in roles "USA" and "INDIA". You then can say that only users who participate in the "USA" role are allowed to access the USA-based resources.

How you configure the security domain depends on the application server you're using. I'm running on JBoss 5.1.0.GA, and was helped a great deal by the book JBoss in Action from Manning Publications. It showed everything I needed to do to get my user to log in, and how to lock-down various resources based on the roles assigned to the user.

Best Regards,
rammie singh
Ranch Hand

Joined: Mar 26, 2009
Posts: 116
Thanks for your responses.
i will try both options ..let's see which one suits mee. thanks.
 
Don't get me started about those stupid light bulbs.
 
subject: Implementing the User access in an application
 
Similar Threads
Read Only Access
Previleges to user id in J2EE
Restrict user to access action
labor shortage in India too!!!
Redirection after realm authentication