views:

182

answers:

1

Hello Everyone, Here is how our Tomcat webserver is currently setup. We are using jsp for the webpages.

  • /webserverpath/main (all public pages and the login page)
  • /webserverpath/secure1 (private pages)
  • /webserverpath/secure2 (private pages)
  • /webserverpath/secure3 (private pages)

I recently discovered that the authentication is very minimal. For instance once a user is logged in they can bookmark any private page, close the browser, open the browser back up and go to the bookmark and is never asked to sign in again (which turns out to be bad since we recently started disabling users). All of this was setup before I arrived. I'm wondering what can I do to add the proper security? Should I have all the folders under one main folder (ie /webserverpath/main/secure1, etc.) or just leave it alone?

Let me add that I'm newish to the whole website authentication stuff, having multiple websites in different folders like this and JSP itself.

Thank you

A: 

You might start here: Declarative Web Application Security with Servlets and JSP
Generally, you probably want some session-based authentication that kicks people out of the private parts of the site if they aren't authenticated.

Joel Meador