• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Paul Clapham
  • Ron McLeod
  • paul wheaton
  • Devaka Cooray
Sheriffs:
  • Jeanne Boyarsky
  • Tim Cooke
  • Liutauras Vilda
Saloon Keepers:
  • Tim Moores
  • Tim Holloway
  • Stephan van Hulst
  • Carey Brown
  • Piet Souris
Bartenders:
  • salvin francis
  • Mikalai Zaikin
  • Himai Minh

jsp login page and other pages

 
Greenhorn
Posts: 9
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
i have login page and some other jsp pages

when i login and from browser arrow button i can go to next page and page login page and from login page to next page which is security hole
how to restrict user not to jump without login
 
Saloon Keeper
Posts: 23544
161
Android Eclipse IDE Tomcat Server Redhat Java Linux
  • Likes 1
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
If you are using JEE standard container-based security, that's not a problem.  The JEE security system puts guards on the URLs using patterns and role relationships that you define in the web.xml and any attempt to access those URLs will cause the security system to intercept the request. And to force a login (authentication), if the user is not already logged in. The security role[s] assigned to the user - if any - will be matched and thus access will be limited to only users assigned the proper role for that URL.

With container security, you define the login and loginfail form pages in web.xml but you do not code login logic. The login logic is part of the container (security Realm). Users do not issue requests to the login page directly. In fact, if they try, it will fail. Instead, the login page is displayed automatically when a non-authenticated user makes a URL request to a protected URL.

This is a very robust and secure system designed and tested over many years by security professionals. It's part of every JEE server, even the lightweight ones like Tomcat and jetty and it's supported by the JEE APIs.

Unfortunately, too many people try to write their own login/security system and then they do encounter problems like the one you worry about. Because security is a chain where the weakest link breaks everything and unless you're profesionally-trained and not distracted by security as an add-on to the application you're supposed to be writing, I can virtually assure that your grow-your-own security will be cracked open in very short order.

In short, you really shouldn't write your own login code, no matter how clever you are. And I'm afraid that a lot of JEE textbooks like to use user-written login code for examples, which just makes things worse.
 
With a little knowledge, a cast iron skillet is non-stick and lasts a lifetime.
reply
    Bookmark Topic Watch Topic
  • New Topic