tags:

views:

355

answers:

1
+1  Q: 

Looking for a simple, secure session design with servlets and JSP

I'm working on an intranet-only web application (J2EE) that requires some basic security features. There will be relatively few authorized users for the site, but I still need to implement some sort of secure session.

The basic flow I'm looking at is visit site => log in => use site => log out when done (or automatically log out when the browser is closed). Nothing fancy at all, not even a "remember me" option when logging in. Most of the work for authentication is already done - the site is accessible only over https, and I have a database which stores usernames and (encrypted) passwords.

So, once the user has logged in, what's the simplest (ideally no cookies beyond whatever JBoss/JSPs would do behind the scenes) way to implement a secure session? I.E. prevent users from just directly requesting pages beyond the login screen, etc.

Is it just a matter of checking the session for some "isUserAuthenticated"-like value, checking that the session exists (e.g. request.getSession(false)) for all incoming requests in my servlet? What about preventing users from getting JSP files and forcing them to use a servlet for all requests? Any other considerations (and their solutions)?

+4  A: 

Sounds like you can use simple declarative security approach.

Take a look at Java EE Tutorial section for Securing Web Applications , particularly at declarative security section

To address your specific questions:

What's the simplest ... way to implement a secure session? I.E. prevent users from just directly requesting pages beyond the login screen, etc.

Declare your URLs in webapp descriptor (web.xml) with an appropriate security role. They'll be inaccessible to unauthorized users (and attempt to access them will bring forth a login page).

Is it just a matter of checking the session for some "isUserAuthenticated"-like value, checking that the session exists (e.g. request.getSession(false)) for all incoming requests in my servlet?

All that will be completely unnecessary; servlet container will do it for you behind the scenes.

What about preventing users from getting JSP files and forcing them to use a servlet for all requests?

As long as JSPs never need to be accessed publicly (e.g. you're forwarding to them from within your servlet; you're never redirecting to a JSP) you can declare their URLs in a collection with security role that is never actually assigned to a user.

ChssPly76  2009-11-19 17:56:07
+1 for the good answer and being faster :)
Pascal Thivent  2009-11-19 18:13:56
I've looked at using the DD for security before, and it seemed like overkill. I really don't have multiple security roles, or anything like that; just valid (or invalid) username/password combinations. With declarative security, how do I (as a Java programmer) inform the server that a particular username/password is or is not valid for a particular login attempt? The tutorial also says" When creating a form-based login, be sure to maintain sessions using cookies or SSL session information," which is what I'm trying to avoid.
Matt Ball  2009-11-19 18:14:04
You don't have to have multiple roles, one is enough (two if you want to restrict JSPs). How you determine whether user / password is valid is container-specific; for Tomcat you can do that by specifying a realm (http://tomcat.apache.org/tomcat-6.0-doc/realm-howto.html#JDBCRealm) or writing your own. I'm not sure what you mean by "avoid cookies" - session has to be maintained somehow (container deals with cookies, not you). If cookies are unacceptable you can use url rewriting (details are in tutorial link)
ChssPly76  2009-11-19 18:25:23
@Pascal - thank you :-)
ChssPly76  2009-11-19 18:44:11
As long as the container deals with cookies, that's fine. I think rolling my own user/pw validation is the way to go (since it's done already) - but how do I communicate this to the container? I'm using JBoss, so I guess that means the container is Tomcat.
Matt Ball  2009-11-19 18:56:00
For Tomcat it's very easy - you just need to specify a realm in context configuration (there's a link to documentation in my comment above). For JBoss (if you're using only servlets / JSP why do you need full app server?) it's a bit more involved. You need to configure a datasource (which you may already have done) and an appropriate LoginModule (http://www.jboss.org/community/wiki/DatabaseServerLoginModule). Take a look at this (http://docs.jboss.org/jbossas/getting_started/v4/html/dukesbank.html) for a more comprehensive tutorial.
ChssPly76  2009-11-19 19:08:30

related questions

Java Time Zone is messed up
Eclipse on win64
Automate builds for Java RCP for deployment with JNLP
Why are professors or schools picking Java over C++ to teach to students?
Is there a real benefit of using J#?
Public/Popular Websites using JavaServer Faces
Why can't I use a try block around my super() call?
Accessing post variables using Java Servlets
Personal Linux web server
Is this really widening vs autoboxing?
How can I Java webstart multiple, dependent, native libraries?
Why can't I call toString() on a Java primitive?
How do I use Java to read from a file that is actively being written?
What code analysis tools do you use for your Java projects?
IllegalArgumentException or NullPointerException for a null parameter?
How do I configure and communicate with a serial port?
What is the best way to parse strings in Java
Getting started with a custom JXTA PeerGroup
Creating a custom button in Java
How to get started "writing" a code coverage tool?
Which Build-/Configuration Management Tool?
What is the difference between an int and an Integer in Java/C#?
What is the meaning of the type safety warning in certain Java generics casts?
How would you access Object properties from within an object method?
Converting CSV File to XML in Java