• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Paul Clapham
  • Ron McLeod
  • Jeanne Boyarsky
  • Tim Cooke
Sheriffs:
  • Liutauras Vilda
  • paul wheaton
  • Henry Wong
Saloon Keepers:
  • Tim Moores
  • Tim Holloway
  • Stephan van Hulst
  • Carey Brown
  • Frits Walraven
Bartenders:
  • Piet Souris
  • Himai Minh

security in JSP

 
Greenhorn
Posts: 17
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi,

I am developing a jsp/servlet based application where once user is logged in, pages are displayed based on the user role.

I want to build security in the JSP to restrict the user from directly calling a jsp page without logging in.

When a user is logged in, I create a User object and store it in session. In every page I check if the User object is available in the session, if not the user is redirected to the login page.

I want to validate this approach with you all. Please let me know if there is a better option.

I tried request.getSession(fale) == null in the JSP but it always returns a session

Thanks in advance.

Javed.
 
Sheriff
Posts: 13411
Firefox Browser VI Editor Redhat
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
There are two approaches to security in a Java web app; Declarative and Programmatic.

Containers provide mechanisms for declarative security which allows you to set everything up via configuration scripts (there is a link to the Servlet Spec in my signature if you want to learn more about it).

With programmatic security (the one I prefer), you write your own.

Rather than test for a null session (which is very unreliable with apps that use JSP), try adding an object to the user's session after a successful login.
Then, test that object for null instead of the session itself.
 
Javed Mohammed
Greenhorn
Posts: 17
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Thanks Ben,

My design is exactly as what you suggested. I am storing a User obejct and checking in the jsp for the availability of the User obejct. If not available redirecting the user to the Login page.

Thanks for your help.

Regards,

Javed.
 
Sheriff
Posts: 67637
173
Mac Mac OS X IntelliJ IDE jQuery TypeScript Java iOS
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
You might also consider doing the test in a filter rather than adding code to every single JSP.
 
Ben Souther
Sheriff
Posts: 13411
Firefox Browser VI Editor Redhat
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Originally posted by Bear Bibeault:
You might also consider doing the test in a filter rather than adding code to every single JSP.



There's a demo app on my site that has just such a filter.
http://simple.souther.us/not-so-simple.html
It's in the SessionMonitor application.

The nice thing about doing this from a filter is that you can restrict access to static resources (HTML pages, images, PDFs, etc..) as well as servlets and JSPs.
 
You know it is dark times when the trees riot. I think this tiny ad is their leader:
free, earth-friendly heat - a kickstarter for putting coin in your pocket while saving the earth
https://coderanch.com/t/751654/free-earth-friendly-heat-kickstarter
reply
    Bookmark Topic Watch Topic
  • New Topic