It's not a secret anymore!*
The moose likes JSP and the fly likes Problem with Web Application Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Android Security Essentials Live Lessons this week in the Android forum!
JavaRanch » Java Forums » Java » JSP
Bookmark "Problem with Web Application" Watch "Problem with Web Application" New topic
Author

Problem with Web Application

Nagendra Suresh
Greenhorn

Joined: Dec 29, 2012
Posts: 6
Hi Everyone this is my first post . Hoping I will learn a lot of things here .

I have created a sample Java based web application . My application runs on Tomcat .Also my application has only JSP files .In the application I have a login page.If login is successful the user will be redirected to another page .However the problem is if I enter the link to the jsp file directly in the browser it opens up . This should not be the case :-( . I have read several posts on putting all the JSP files under the WEB-INF directory , however this leads to another problem . In my application I have links to other JSP files using <a href> , When I click on the link it says Page not found error because of placing them in the WEB-INF folder . So basically I would like to get help on is . How to restrict access to the JSP files if a user has not gone through the login page. When the user enters the link to a JSP file directly he should not be able to see the page if he has not logged in .
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 41155
    
  45
That's what the servlet security mechanism is for; start reading here: https://www.coderanch.com/how-to/java/ServletsFaq#security. That way, the JSPs need not be inside of WEB-INF, but are protected from unauthorized access by the servlet container anyway.


Ping & DNS - my free Android networking tools app
Nagendra Suresh
Greenhorn

Joined: Dec 29, 2012
Posts: 6
[Ulf Dittmer] : Thanks for the reply , I will read it and try to get it working . I have one question , Currently in my login page I have created my own function to check if the entered credentials are present in a database .If the login is correct I redirect i to another page . However the link you provided says the post should be to 'j_security_check' . If i have understood things correctly the 'j_security_check' is nothing but the function I have written to check if the entered credentials are correct ?Please correct me If I am wrong
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 41155
    
  45
Security is easy to wrong (and thus result in an insecure system); it's better to rely on the built-in mechanisms of the servlet container - which are well tested and debugged.
Surendra Pandey
Greenhorn

Joined: Dec 24, 2009
Posts: 2
kaage me wrote:Hi Everyone this is my first post . Hoping I will learn a lot of things here .

I have created a sample Java based web application . My application runs on Tomcat .Also my application has only JSP files .In the application I have a login page.If login is successful the user will be redirected to another page .However the problem is if I enter the link to the jsp file directly in the browser it opens up . This should not be the case :-( . I have read several posts on putting all the JSP files under the WEB-INF directory , however this leads to another problem . In my application I have links to other JSP files using <a href> , When I click on the link it says Page not found error because of placing them in the WEB-INF folder . So basically I would like to get help on is . How to restrict access to the JSP files if a user has not gone through the login page. When the user enters the link to a JSP file directly he should not be able to see the page if he has not logged in .



you can use filter mechanism for the same...

Please see implementation of filter.........
Nagendra Suresh
Greenhorn

Joined: Dec 29, 2012
Posts: 6
[Ulf Dittmer] : Thank you for pointing me out to the links , they were very useful . I have implemented the servlet security mechanism in tomcat with JDBC Realms and it worked well . The pages cannot be directly accessed now.
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: Problem with Web Application
 
Similar Threads
Update database for logout when signout is not done properly
redirect all jsp to login page only
Servlet can't find Image file.
Stopping unauthorized access of files on the server
session management for logout