My web app has a secure area which users log in to via a JSP. The JSP posts the user name and password to a servlet, which then checks to see if the users credentials are valid. If they are valid then the user is directed to the secure resource. How can I ensure that users can't just navigate to the secure resource without validating first?
+5
A:
A common approach is to set a token in the user's session i.e.,
session.setAttribute("loggedIn", "true");
or even
session.setAttribute("loggedInUser", "someUserName");
and check that on any page that should be secured. A good strategy is to perform the check using a servlet filter that you attach to any page to be secured. If they don't pass the check, the filter can redirect to the login page. Also see here: http://java.sun.com/products/servlet/Filters.html
This is a good article on using filters for authentication also: http://www.developer.com/java/ent/article.php/3467801
mtruesdell
2008-12-07 21:42:52
Why would this approach be better than container managed authentication?
erickson
2008-12-09 01:57:43
It depends on your needs. For a simple application, this is easier, but cma is a good robust solution for more advanced needs. As always, your mileage may vary.
mtruesdell
2008-12-09 16:14:57
I would prefer something like, session.setAttribute("user", userBean);Of course with no sensitive information.
Adeel Ansari
2008-12-10 05:01:41
A:
Make sure people always access your app through a single servlet, where the servlet dispataches the request to a JSP, and returns the resulting response to the browser. This way you will always be in control of what happens because there is a single entry point.
A different approach is to have a session variable (server side, or even in a cookie) which gets checked by each and every JSP which requires authentication.
Rolf
2008-12-07 21:43:53
+4
A:
What bout using the security-contraint in your web.xml :
<security-constraint>
<web-resource-collection>
<web-resource-name>Secure</web-resource-name>
<url-pattern>/secure/*</url-pattern>
</web-resource-collection>
LenW
2008-12-08 11:53:04
See, for example, this question:http://stackoverflow.com/questions/344474/form-authentication-on-website
Warren Blanchet
2008-12-19 23:05:09
A:
Security is really hard to get right. Much more than you would usually think. The use of a framework (Acegi comes to mind), or the standard "" section of web.xml as LenW pointed out is a must ! At least use a filter to handle the authorization part of your security.
I dont really like the solution of using a single point of entry (as suggested by Rolf). It seems to me like an artificial constraint put on your architecture. And there is a lot of good reasons to have multiple servlet in a webapp.
Whatever you do, dont use a technique where you rely on manual code on every page (like : every JSP begining with "if user_authentified ..."). You will forget to put it somewhere ...
Guillaume
2008-12-08 12:18:15
A:
According to best practices, you should put protected resources such as JSPs in /WEB-INF. Nothing in this folder can be accessed unless it is forwarded by a servlet. Therefore all of your JSPS, except for login and welcome pages (which can be declared in web.xml) should belong in this folder.
Zombies
2008-12-08 16:32:41