*
The moose likes Servlets and the fly likes Pop up URL authentication Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Android Security Essentials Live Lessons this week in the Android forum!
JavaRanch » Java Forums » Java » Servlets
Bookmark "Pop up URL authentication" Watch "Pop up URL authentication" New topic
Author

Pop up URL authentication

Vishwas Shashidhar
Greenhorn

Joined: Oct 20, 2010
Posts: 4
Hi,

I need to know how a URL can be authenticated using Javascript/html with a pop up appearing.

For example, if there is a page called "abc.jsp" and i click on the link that takes to "abc.jsp", i should get a pop up asking the username/password which then is sent to the server to authenticate the user. If the user is authenticated, "abc.jsp" is displayed. Else, he is redirected to the Error page with a message stating he is not authorized.

How can i achieve this?? Please help me.


Thanks in advance.
Paul Sturrock
Bartender

Joined: Apr 14, 2004
Posts: 10336

Why JavaScript?

Its pretty simple (though also simplistic) to have a condition in a JSP whereby if not authenticated render some JavaScript that does just what you ask.


JavaRanch FAQ HowToAskQuestionsOnJavaRanch
Vishwas Shashidhar
Greenhorn

Joined: Oct 20, 2010
Posts: 4
Thanks for the suggestion Paul.

But the kind of design we have done is pretty sophisticated.

We don't do any logical operations in a JSP, everything is taken care by Servlets and traditional Java classes.

Let me explain the exact logic I'm looking to implement.

There is a JSP called "home.jsp". And there are links to navigate to different pages from this page. Certain operations can be performed only by an administrator. For example, if i want to delete the data of a student, I click on the "DeleteStudent.jsp" link. Our initial approach was to pass the Student name to the servlet, keep it in a session, redirect the user to the authentication page, authenticate him and then delete the data. But i thought this involved too many operations and pages.

Since I've seen so many sites in which if i hit a URL, a pop-up appears and once i'm authenticated, i can access the page.

I didn't get to know how to implement this using a Javascript as in a JS Popup, the password is not masked which is a huge concern.

So, please let me know how i can take this further.

Hope you have understood the scenario.

Thanks in advance again.
Paul Sturrock
Bartender

Joined: Apr 14, 2004
Posts: 10336


There is a JSP called "home.jsp". And there are links to navigate to different pages from this page. Certain operations can be performed only by an administrator. For example, if i want to delete the data of a student, I click on the "DeleteStudent.jsp" link. Our initial approach was to pass the Student name to the servlet, keep it in a session, redirect the user to the authentication page, authenticate him and then delete the data. But i thought this involved too many operations and pages.


Any reason you don't authenticate the user and only display operations they can perform? Seems like a far easier option.


Since I've seen so many sites in which if i hit a URL, a pop-up appears and once i'm authenticated, i can access the page.

That popup is unlikely to be JavaScript. What you are more likely seeing is the standard callback handler supplied by the browser.


I didn't get to know how to implement this using a Javascript as in a JS Popup, the password is not masked which is a huge concern.[

Masking what data is entered in a field is fairly trivial to do in JavaScript. I'm just not seeing why JavaScript is needed here at all. Standard form based authentication will behave (almost) as you require, the only difference being its not a popup you'll hit when you access a resource within a security constraint as an unauthenticated user.
Kumar Raja
Ranch Hand

Joined: Mar 18, 2010
Posts: 518
    
    2

Paul,

I'm just curious if you are suggesting to implement the web security features provided by specifications using realms and security constraints in deployment descriptor. This seems to be the pretty straight forward approach. Did I misunderstood the question ?


Regards
KumarRaja

Paul Sturrock
Bartender

Joined: Apr 14, 2004
Posts: 10336

That's exactly what I'm suggesting, for the reason you mention Kumar: it seems to be the straight forward way of resolving this. I'm curious if Vishwas has a compelling reason to use JavaScript.
Vishwas Shashidhar
Greenhorn

Joined: Oct 20, 2010
Posts: 4
Thanks a lot for the input Paul.

Yes, i am pretty much clear now. I will mostly use the form based authentication.

The part where you say only authorized people(admin) should access the page, i've implemented that as well.

Its just that i want to give double security for a "DELETE" operation as the consequences would be severe if the admin does it mistakenly and all the data is lost. Which is why i am including a second password for the same purpose to make sure the admin is aware of the thing.

Your input was really helpful. Cheers
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: Pop up URL authentication
 
Similar Threads
opening popup window conditionally
Configuration of filter problem
Maintain request object across multiple servers/web apps
opening popup window conditionally
opening popup window conditionally