security in JSP

Hi,

I am developing a jsp/servlet based application where once user is logged in, pages are displayed based on the user role.

I want to build security in the JSP to restrict the user from directly calling a jsp page without logging in.

When a user is logged in, I create a User object and store it in session. In every page I check if the User object is available in the session, if not the user is redirected to the login page.

I want to validate this approach with you all. Please let me know if there is a better option.

I tried request.getSession(fale) == null in the JSP but it always returns a session

Thanks in advance.

Javed.

There are two approaches to security in a Java web app; Declarative and Programmatic.

Containers provide mechanisms for declarative security which allows you to set everything up via configuration scripts (there is a link to the Servlet Spec in my signature if you want to learn more about it).

With programmatic security (the one I prefer), you write your own.

Rather than test for a null session (which is very unreliable with apps that use JSP), try adding an object to the user's session after a successful login.
Then, test that object for null instead of the session itself.

Thanks Ben,

My design is exactly as what you suggested. I am storing a User obejct and checking in the jsp for the availability of the User obejct. If not available redirecting the user to the Login page.

Thanks for your help.

Regards,

Javed.

You might also consider doing the test in a filter rather than adding code to every single JSP.

Originally posted by Bear Bibeault:
You might also consider doing the test in a filter rather than adding code to every single JSP.

There's a demo app on my site that has just such a filter.
http://simple.souther.us/not-so-simple.html
It's in the SessionMonitor application.

The nice thing about doing this from a filter is that you can restrict access to static resources (HTML pages, images, PDFs, etc..) as well as servlets and JSPs.