tags:

views:

406

answers:

3
Q: 

restrict url access in JSP

I have a site that uses forms and validates fields and redirects to another pages etc, but I need to know how to keep any user from access a page directly with the URL and it gets redirectionated to the login form...

I've seen this, but I don't know how to call it. :S

I think it's with session variables, and that I should check for a session variable in the top of the page that I want to restrict.

I am using JSP in building my website.

Thanks in advance.

+3  A: 

You can do this declaratively with security constraints in the deployment descriptor.

Essentially, you say 'this set of resources is only accessible by users in a given set of rules using a given set of HTTP methods', as follows:

Resources behind URLs /secured/* are only accessible to authenticated users in the 'admin' role.

<web-app...>
  <security-constraint>

    <web-resource-collection>
      <web-resource-name>secured</web-resource-name>
      <description>Secured pages</description>
      <url-pattern>/secured/*</url-pattern>
      <http-method>POST</http-method>
      <http-method>GET</http-method>
    </web-resource-collection>

    <auth-constraint>
      <description>Administrative users</description>
      <role-name>admin</role-name>
    </auth-constraint>

  </security-constraint>

</web-app>

It requires some setup - security realms etc, login form configuration, but it means that your security setup is not done programmatically, instead it is in a tool-supported and abstracted, declarative way. This helps keep your code clean and focussed.

Here's the relevant part of the Sun Educational material for Java EE 5. It's a relatively complex and potentially very important topic so I suggest you have a good read through of the material there.

Brabster  2009-09-29 16:57:27
+2  A: 

Java EE tutorial has a section dedicated to securing web applications.

That's what you need to do - you'll be able to declare your security constraints in your webapp descriptor (web.xml). Here is an example of how to secure a particular URL

ChssPly76  2009-09-29 16:58:08
this sounds good.. thaks for your quick response..
Nave  2009-09-29 17:05:50
+2  A: 

Alternatively, you can use a filter that catches all requests and forwards to the correct path as appropriate. It would take more work than security constraints but you could have more control over processing.

Using security constraints is certainly a good simple solution, though.

Eric Wendelin  2009-09-29 17:02:23

related questions

Create query parameters in javascript
ASP.NET MVC: Making routes/URLs IIS6 and IIS7-friendly
Relative urls for Javascript files
How to play a sound in Actionscript 3 that is not in the same directory as the SWF?
Sending values through links (html)
PHP: GET-data automatically being declared as variables
How can I set a timeout against a BufferedReader based upon a URLConnection in Java?
Getting a full list of the URLS in a rails application
Is it the filename or the whole URL used as a key in browser caches?
How do I register a custom URL protocol in Windows?
getting java exception: java.net.MalformedURLException: no protocol
Why do some websites add "Slugs" to the end of URLs?
Friendly URLs for ASP.NET
How to generate urls in django
square brackets in URLs
Does new URL(...).openConnection() necessarily imply a POST?
How do I generate a friendly URL in Symfony PHP?
Getting parts of a URL (Regex)
.NET - Get protocol, host, and port
how to get locale information on a GWT application
How do I convert a file path to a URL in ASP.NET
Can I generate ASP.NET MVC routes from a Sitemap?
URL without ID
ASP.NET URL Rewriting
Modify Address Bar URL in AJAX App to Match Current State