my dog learned polymorphism*
The moose likes Servlets and the fly likes Page level authorization Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of OCM Java EE 6 Enterprise Architect Exam Guide this week in the OCMJEA forum!
JavaRanch » Java Forums » Java » Servlets
Bookmark "Page level authorization" Watch "Page level authorization" New topic
Author

Page level authorization

Preeti Prabhakar
Greenhorn

Joined: Jul 27, 2009
Posts: 12
Hi All,

We have an application having large number of JSP pages and servlets. Is there any easy way to impose page level authorization without having to go to each page to set it up?
i.e. If the user somehow gets to figure out the URL of some page to which he has no access, then an error message should be shown to him.

Thanks!
Bear Bibeault
Author and ninkuma
Marshal

Joined: Jan 10, 2002
Posts: 61104
    
  66

Filters.


[Asking smart questions] [Bear's FrontMan] [About Bear] [Books by Bear]
Preeti Prabhakar
Greenhorn

Joined: Jul 27, 2009
Posts: 12
Thanks for the quick response.

But the problem in implementing this solution is - How do we uniquely identify a JSP page? I guess, the servlet filter has to be implemented in such a way that it will read the jsp's unique identifier and then check whether the user is authorized to access it or not. But, for this approach, we will have to go to each of the hundreds of JSPs and assign it a unique identifier.
Is there a better way to handle it so that it can be done with less effort ?

Thanks
Bear Bibeault
Author and ninkuma
Marshal

Joined: Jan 10, 2002
Posts: 61104
    
  66

You shouldn't be addressing JSPs at all -- you should be addressing the page controller for the JSP. Or are you still following Model 1?

In any case, the filter can identify the target by its unique URL.
Manjesh Patil
Ranch Hand

Joined: Sep 24, 2010
Posts: 41


You can protect the URLs using security -constraint tags in web.xml file


regards
Ma

Bear Bibeault
Author and ninkuma
Marshal

Joined: Jan 10, 2002
Posts: 61104
    
  66

That assumes container-based authentication. And it's hard to apply on a page by page basis.
Manjesh Patil
Ranch Hand

Joined: Sep 24, 2010
Posts: 41

I agree. But what I understand from mail is that , the developer is trying to apply high level authorisation to the URL (allow/deny).

If all my jsps are in the path : /jsp/example/ I can still uses security-constraint tag to protect /jsp/example/*.jsp same way for Servlets.

regards
Ma
vinayak jog
Ranch Hand

Joined: Apr 01, 2011
Posts: 81

There is a very simple solution override the HttpServletResponse's sendredirect method using HttpServletResponseWrapper. You can write your own customized redirect method .
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: Page level authorization