Win a copy of Testing JavaScript Applications this week in the HTML Pages with CSS and JavaScript forum!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Bear Bibeault
  • Ron McLeod
  • Jeanne Boyarsky
  • Paul Clapham
Sheriffs:
  • Tim Cooke
  • Liutauras Vilda
  • Junilu Lacar
Saloon Keepers:
  • Tim Moores
  • Stephan van Hulst
  • Tim Holloway
  • fred rosenberger
  • salvin francis
Bartenders:
  • Piet Souris
  • Frits Walraven
  • Carey Brown

Securing an application

 
Ranch Hand
Posts: 48
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi,
I need to protect a bunch of jsps which need to be accessed only when somebody logs in to the application and prevent users from directly typing in the URL with http://hostname/anypage.jsp instead of https://hostname/anypage.jsp. How can I acheive this? I am using IIS as the web server and IBM Websphere4.0 as the application server.
Right now once an user logs in, the user is redirected to an application.jsp page through a servlet(the url is https://hostname/application.jsp). Once you get to this page, the user is able to type in http://hostname/application.jsp and able to continue with the proces. I want to show an user the error page when the user types in http:// instead of https://
How can I acheive this? How to protect those files? How can I 'sslProtect' these JSP files? Can any one help me to solve this............
I have looking at the Websphere documentation and all places on the web but haven't been to see any documentation or help.
Thanks in advance for all the help.
Chuck Meduri
 
Ranch Hand
Posts: 66
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi,
You can secure the application in many ways.
I am suggesting a simple and easy way.
1. a ). Keeping a session variable in session in the login servlet
b). In all the jsps check for the variable which you placed in the session. If it exists, then continue else redirect to error page. This can be achieved by using an authorisation jsp (Using jsp:include tag )which checks the session variable, if the variable doesn't exist, then just it will redirect to error page.
Check whether this works.
 
Rancher
Posts: 13459
Android Eclipse IDE Ubuntu
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
The decision is always a trade-off, but if you are trying to protect enough pages I would recommend using configuration-based authentication rather than programatic declaration.
If you only have a few pages that a user needs to be logged in for, there isn't a large overhead to pasting the same code into each JSP.
If there are heaps then it becomes more problematic and its a lot easier to configure the server to say "These pages here are secured".
Have a look at BASIC or FORM-based authentication.
The 'HTTP' versus 'HTTPS' problem can also be managed via explicit code or configuration.
In the web.xml file, you can specify that the security for a set of resources is CONFIDENTIAL in the transport-guarantee tag. If this resource is requested under an unsecure protocol, the server witth send them the https version rather than the http version.
Dave
 
Don't get me started about those stupid light bulbs.
    Bookmark Topic Watch Topic
  • New Topic