This week's book giveaway is in the Servlets forum.
We're giving away four copies of Murach's Java Servlets and JSP and have Joel Murach on-line!
See this thread for details.
The moose likes Servlets and the fly likes How to restrict access to a servlet or jsp? Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Murach's Java Servlets and JSP this week in the Servlets forum!
JavaRanch » Java Forums » Java » Servlets
Bookmark "How to restrict access to a servlet or jsp?" Watch "How to restrict access to a servlet or jsp?" New topic
Author

How to restrict access to a servlet or jsp?

chaitanya karthikk
Ranch Hand

Joined: Sep 15, 2009
Posts: 800

Hi everybody, I am Chaitanya, I am using sessions to restrict access to a page i the user has not signed in. Once signs in he can call the particular page.

Now I have two users, with different roles for each. One is the administrator, another is ordinary user. The administrator can create a new user by requesting new_user.jsp page.

The page looks some what like this

Once the admin or ordinary user logins, loginSucess session attribute will be holding the user ID. So who ever calls this page, they can create a new user.

The ordinary user should not be able to access this page.

So my idea is to create two different session attributes, adminSession for admin and userSession for user.

This time if the ordinary user sends a request for this page he cant access it.



Otherwise I am having another idea. In this case there will be a single session which stores the user ID and the new_user.jsp page is placed in WEB-INF older. Then the user request fors a servlet first. The servlet will decide whether the user has administrative privileges or not by connecting to the database. If the user has admin privileges the page is served otherwise no.

But in the second alternative, I don't know how to serve web pages from WEB-INF folder.


Is this the right way? Can I do like this? Or there is another method to do this?

Thank you all in advance. Have a good day.

Love all, trust a few, do wrong to none.
Bear Bibeault
Author and ninkuma
Marshal

Joined: Jan 10, 2002
Posts: 60741
    
  65

Sounds like you are over-complicating something that's really a simple if-statement.


[Asking smart questions] [Bear's FrontMan] [About Bear] [Books by Bear]
chaitanya karthikk
Ranch Hand

Joined: Sep 15, 2009
Posts: 800



Hi Bear, I didn't get what you were saying. Should I go with session?
Bear Bibeault
Author and ninkuma
Marshal

Joined: Jan 10, 2002
Posts: 60741
    
  65

Should I go with session?

For what?

If the only variable is whether the user is an admin or not, simply record that info along with whatever you are using in the session to store the info for the logged-in user. There's no need to over-complicate matters.
chaitanya karthikk
Ranch Hand

Joined: Sep 15, 2009
Posts: 800

Thank you Bear.
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: How to restrict access to a servlet or jsp?
 
Similar Threads
Handling Permissions on Web Applications
enabling side menu based on user role in JSP?
HFSJ 2nd edition Mock exam questions 6, 11,26,34,49 and 69
checking for bean in session
Need some help regarding sessions