• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Paul Clapham
  • Tim Cooke
  • Jeanne Boyarsky
  • Liutauras Vilda
Sheriffs:
  • Frank Carver
  • Henry Wong
  • Ron McLeod
Saloon Keepers:
  • Tim Moores
  • Frits Walraven
  • Tim Holloway
  • Stephan van Hulst
  • Carey Brown
Bartenders:
  • Al Hobbs
  • Piet Souris
  • Himai Minh

Block access to few web pages when user has not logged in

 
Ranch Hand
Posts: 384
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
If i do have a site name as http://webaddress/Admin/LoginServlet and the page contains the list of few event names the user can access once they login. But the direct page is getting displayed when the user just type the url or by selecting the url from history even when they didn't logged in. How will restrict this access?
 
Bartender
Posts: 2270
20
Android Java ME Eclipse IDE Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Does session tracking help in this?
 
Saloon Keeper
Posts: 7411
170
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
A page called loginservlet should not display content. That should be done by whatever page serves content according to the user's permissions. Are you maybe not doing a post-redirect-get after login?

And yes, why does the content page display something to a user who is not properly authorized?
 
Gayathri Gayu
Ranch Hand
Posts: 384
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Swastik Dey wrote:Does session tracking help in this?

How will I do that?
 
Gayathri Gayu
Ranch Hand
Posts: 384
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Tim Moores wrote:A page called loginservlet should not display content. That should be done by whatever page serves content according to the user's permissions. Are you maybe not doing a post-redirect-get after login?

And yes, why does the content page display something to a user who is not properly authorized?



How will i do the authorization?
 
Tim Moores
Saloon Keeper
Posts: 7411
170
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
By accessing the session so you know who the user is, and what she is is allowed to see.
 
Gayathri Gayu
Ranch Hand
Posts: 384
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Please tell me how will I access the session?
 
Swastik Dey
Bartender
Posts: 2270
20
Android Java ME Eclipse IDE Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
When the user logs in put the user info in session attribute.  When any request comes validate against that.
 
Gayathri Gayu
Ranch Hand
Posts: 384
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
The above is the servlet code where the user login.

This is where we check the entered username and db user name same. Where should i put the user info in session attribute.
 
Swastik Dey
Bartender
Posts: 2270
20
Android Java ME Eclipse IDE Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
 
Gayathri Gayu
Ranch Hand
Posts: 384
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
That one line code is enough for tracking the session? As I have a admin page in which the login page loads the following code which calls FileUploadServlet.java And when i open the same page in after logout or in different browser the page display the content.

 
Swastik Dey
Bartender
Posts: 2270
20
Android Java ME Eclipse IDE Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
The above line is setting the value in session.  Where ever you want to validate, you have to retrieve it from session.

 
Gayathri Gayu
Ranch Hand
Posts: 384
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Sorry to ask. But i am not able to understand.
 
Swastik Dey
Bartender
Posts: 2270
20
Android Java ME Eclipse IDE Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator


Try to access this page without logging in or from a different browser after logging in.  

In the above line we are retrieving the userinfo from session.  If the value is not null we show the page.  It will be not null only when the user comes to this page after logging in because there only you are setting the user info in session, if the url is opened from any different browser instance it will be null.
 
Saloon Keeper
Posts: 26020
186
Android Eclipse IDE Tomcat Server Redhat Java Linux
  • Likes 2
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Gayathri Gayu wrote:If i do have a site name as http://webaddress/Admin/LoginServlet and the page contains the list of few event names the user can access once they login. But the direct page is getting displayed when the user just type the url or by selecting the url from history even when they didn't logged in. How will restrict this access?



Stuff like this is exactly why you shouldn't be writing your own login.

If you'd used the security system defined by the JEE standards specification the web application server itself would prohibit access to the sensitive URLs. Unauthorized access would never even get near the actual webapp.

Attempts to access protected URLs would bounce the user directly to the server's login process. Only after - and IF the user had logged in successfully would the targeted URL resource (web page) be returned. No evasions, no artefacts in the browser history, nothing is going to bypass that. It's a system that has been proven over something like 20 years of use.
 
Sheriff
Posts: 22683
128
Eclipse IDE Spring VI Editor Chrome Java Windows
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I was waiting for Tim H's post ever since I read the initial post. See https://javaee.github.io/tutorial/security-webtier002.html for a bit more information. The only drawback is that part of the mechanism is container specific - Tomcat, JBoss, GlassFish and other containers could all do the actual user authentication + role mapping differently. You'd need to check the container documentation on how to do this exactly.
 
Tim Holloway
Saloon Keeper
Posts: 26020
186
Android Eclipse IDE Tomcat Server Redhat Java Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Rob Spoor wrote:I was waiting for Tim H's post ever since I read the initial post.



What? Just because I'm obsessed with it? I'd feel guilty except that it's admitted by almost anyone who's worked for any length of time with webapps that when users (or the shop's resident, um, genius) designs a "security system", the results almost invariably have all the durability of wet tissue paper.

Rob Spoor wrote:The only drawback is that part of the mechanism is container specific - Tomcat, JBoss, GlassFish and other containers could all do the actual user authentication + role mapping differently. You'd need to check the container documentation on how to do this exactly.



The only part of the mechanism that's container specific is the configuration of the Realm for the container. The webapp requires absolutely no changes for security regardless of what webapp server you deploy it to. Furthermore, changing the Realm itself doesn't require webapp modification. The same app that runs with JDBC authentication and authorization will work equally well under LDAP or XML file Realms or even a site-wide single-signon.

Configuring a JEE security Realm is generally pretty simple, regardless of what server you use. It's often possible to do so via a vendor-supplied administrative webapp. True, one has to know how to configure the webapp server, but then again, that's true for all the other server-specific features too.
 
Rob Spoor
Sheriff
Posts: 22683
128
Eclipse IDE Spring VI Editor Chrome Java Windows
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Tim Holloway wrote:

Rob Spoor wrote:I was waiting for Tim H's post ever since I read the initial post.



What? Just because I'm obsessed with it? I'd feel guilty except that it's admitted by almost anyone who's worked for any length of time with webapps that when users (or the shop's resident, um, genius) designs a "security system", the results almost invariably have all the durability of wet tissue paper.


I didn't mean you specifically posting it, I meant someone mentioning web security. That should have been one of the first answers. It's no surprise it comes from you though

Rob Spoor wrote:The only drawback is that part of the mechanism is container specific - Tomcat, JBoss, GlassFish and other containers could all do the actual user authentication + role mapping differently. You'd need to check the container documentation on how to do this exactly.



The only part of the mechanism that's container specific is the configuration of the Realm for the container. The webapp requires absolutely no changes for security regardless of what webapp server you deploy it to. Furthermore, changing the Realm itself doesn't require webapp modification. The same app that runs with JDBC authentication and authorization will work equally well under LDAP or XML file Realms or even a site-wide single-signon.


I actually meant that. There may be some internal mapping from container specific role to web.xml role (I've had to do this with WebLogic), and the way the user credentials are stored may be different (users.properties file vs web interface), but that should not be a concern of the application. It has its own roles to worry about (defined in web.xml), and authenticating should simply be delegated to the container (either through the web.xml defined authentication method or by using HttpServletRequest.login).
 
Tim Holloway
Saloon Keeper
Posts: 26020
186
Android Eclipse IDE Tomcat Server Redhat Java Linux
  • Likes 1
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
JEE standards specify that to deploy a webapp you need two sets of information: The container-dependent deployment descriptor and the container-independent deployment descriptor. The container-independent deployment descriptor is the WEB-INF/web.xml file that's bundled with the WAR and, of course, has to conform to the official XML schema for web.xml. The container-dependent deployment descriptor has a format(s) that's entirely dependent on the design and implementation of the webapp server itself. For Tomcat, that's the Context XML file. For Wildfly, I believe it's called application.xml, and actually I've never coded one for WebSphere, since it built its own from the management console webapp.

The logical and physical role names, if I may refer to them as such, are in a gray area. While their format is certainly server-independent, their usage would appear to entirely be based on making it easier to deploy on a server-specific basis.

Or perhaps not. Actually, what I've used the logical role names for wasn't really server-specific so much as it was to better adapt local role settings to a global role environment. For example, using an LDAP/Active Directory server, you could have a set of user roles that span multiple systems (and not necessarily only web applications!). So this allowed me to take generic roles in webapps and not have issues with the corporate roles in the central security server. For example, I'd map the "admin" role in an accounting app to "accounting_admin" at the corporate level, but I might map "admin" in the inventory app to "inventory_admin". It's not quite "write once/run anywhere", but at least it can resolve conflicts without major recoding.
 
Gayathri Gayu
Ranch Hand
Posts: 384
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Swastik Dey wrote:

Try to access this page without logging in or from a different browser after logging in.  

In the above line we are retrieving the userinfo from session.  If the value is not null we show the page.  It will be not null only when the user comes to this page after logging in because there only you are setting the user info in session, if the url is opened from any different browser instance it will be null.



Thanks for the code. That works. But when trying to access from different browser instead of invalid access error message i go the HTTP method GET is not supported by this URL error message.
 
Gayathri Gayu
Ranch Hand
Posts: 384
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
And the login button click will access the LoginServlet class. But then when i click add it is accessing the FileUploadServlet class in which when the user without logged in can access the page easily.

jsp code for uploading file.

Java code for file upload. When i try adding the same line in jsp file it returns null. So how will i access the userName in all pages?
 
Tim Holloway
Saloon Keeper
Posts: 26020
186
Android Eclipse IDE Tomcat Server Redhat Java Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Swastik Dey wrote:[code=java]
<%!String uname="";%>
<%
 uame=(String)session.getAttribute("userName1");
%>
<%
 if(uname!=null) {
%>  
...



Come on, guys, this isn't PHP. You're using scriptlets, not using a Connection Pool for database connections, depending on maintenance programmers to always include explicit security code instead of offloading it to the container (which, as mentioned, does a more secure job of it), and probably other things I've missed because it's painful for me to read it.

Java is an expensive programming platform. It's not something where you can just take a hatchet and hack out a crude solution. If that's all you want to do, there are more "productive" platforms for that. Including PHP.

And I'm not knocking PHP or the other scripting platforms, just saying that if I want something done quick and dirty I use them, but if I want something that's secure, scalable and performant, I use Java.  And because Java is a lot more work, I don't just try and slash my way through the forest with a machete, I use well-proven industry best practices. So that the security, performance and scalability actually work.

In short, maybe it's time to step away from blindly pecking out code and read some good books on professional Java and JEE.
 
Gayathri Gayu
Ranch Hand
Posts: 384
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Swastik Dey wrote:

Try to access this page without logging in or from a different browser after logging in.  

In the above line we are retrieving the userinfo from session.  If the value is not null we show the page.  It will be not null only when the user comes to this page after logging in because there only you are setting the user info in session, if the url is opened from any different browser instance it will be null.



I want the same to happen in FileUploadServlet page where my jsp code is

How will i restrict the access of this page.
 
Would you turn that thing down? I'm controlling a mind here! Look ... look at the tiny ad ...
the value of filler advertising in 2021
https://coderanch.com/t/730886/filler-advertising
reply
    Bookmark Topic Watch Topic
  • New Topic