Win a copy of Functional Reactive Programming this week in the Other Languages forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

Security in MVC Pattern

 
Sam Furtado
Ranch Hand
Posts: 45
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi Guys !!!
Currently implementing the MVC Pattern using Servlets,JSP & Beans in developing a web site.
Wherein, all links on the site invokes the Servlet Controller and furthur passing parameters as to the action that has to be carry out. For instance, something like this
<a href="ControllerServlet?event=print">Print</a>. This determines that some data needs to be processed in one of the beans and then furthur redirected to view jsp file(display.jsp). However, i would'nt want anyone to directly access this page by typing in "display.jsp" in the browser address bar.
In short a view jsp page should not be displayed when accessing it directly(this could happen if someone knows the names of the internal pages used). At the same time it should be able to be redirected to from within data processing servlets.
How should i go about doing this ???
Pls Suggest.
Thnak You
 
Ken Pelletier
Ranch Hand
Posts: 54
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi,
There are two very typical ways of going about this, and probably others that work equally well.
For the resources you don't want to be accessed externally ( from a browser ), you can:
1) Put them inside of WEB-INF ( best located in a subdirectory there ). This makes them accessible internally (eg: from forward() ), but not externally from a browser.
2) Use a security-constraint and assign no users to the role-name. You can put all the resources you want to 'hide' inside a subdirectory or adjust your url-pattern accordingly. eg: you could use *.jsp to hide all jsp
Example using a subdir for "internal-only" resources:
<security-constraint>
<web-resource-collection>
<web-resource-name>
internal
</web-resource-name>
<url-pattern>/internal/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>internal</role-name>
</auth-constraint>
</security-constraint>
With no users assigned to the role 'internal', only internal access will get through. Access via the forward() family of methods does not go through the security constraint mechanism.
Good luck.
- Ken
 
Ken Pelletier
Ranch Hand
Posts: 54
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi,
There are two very typical ways of going about this, and probably others that work equally well.
For the resources you don't want to be accessed externally ( from a browser ), you can:
1) Put them inside of WEB-INF ( best located in a subdirectory there ). This makes them accessible internally (eg: from forward() ), but not externally from a browser.
2) Use a security-constraint and assign no users to the role-name. You can put all the resources you want to 'hide' inside a subdirectory or adjust your url-pattern accordingly. eg: you could use *.jsp to hide all jsp
Example using a subdir for "internal-only" resources:
<security-constraint>
<web-resource-collection>
<web-resource-name>
internal
</web-resource-name>
<url-pattern>/internal/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>internal</role-name>
</auth-constraint>
</security-constraint>
With no users assigned to the role 'internal', only internal access will get through. Access via the forward() family of methods does not go through the security constraint mechanism.
Good luck.
- Ken
 
Sam Furtado
Ranch Hand
Posts: 45
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thanks Ken !!!
It came through.
Thank You
 
Ken Pelletier
Ranch Hand
Posts: 54
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Odd, but I swear I didn't re-post that one.
Honest, guv.
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic