This week's book giveaway is in the JavaScript forum.
We're giving away four copies of Cross-Platform Desktop Applications: Using Node, Electron, and NW.js and have Paul Jensen on-line!
See this thread for details.
Win a copy of Cross-Platform Desktop Applications: Using Node, Electron, and NW.js this week in the JavaScript forum!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic

security in JSP  RSS feed

 
Javed Mohammed
Greenhorn
Posts: 17
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi,

I am developing a jsp/servlet based application where once user is logged in, pages are displayed based on the user role.

I want to build security in the JSP to restrict the user from directly calling a jsp page without logging in.

When a user is logged in, I create a User object and store it in session. In every page I check if the User object is available in the session, if not the user is redirected to the login page.

I want to validate this approach with you all. Please let me know if there is a better option.

I tried request.getSession(fale) == null in the JSP but it always returns a session

Thanks in advance.

Javed.
 
Ben Souther
Sheriff
Posts: 13411
Firefox Browser Redhat VI Editor
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
There are two approaches to security in a Java web app; Declarative and Programmatic.

Containers provide mechanisms for declarative security which allows you to set everything up via configuration scripts (there is a link to the Servlet Spec in my signature if you want to learn more about it).

With programmatic security (the one I prefer), you write your own.

Rather than test for a null session (which is very unreliable with apps that use JSP), try adding an object to the user's session after a successful login.
Then, test that object for null instead of the session itself.
 
Javed Mohammed
Greenhorn
Posts: 17
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thanks Ben,

My design is exactly as what you suggested. I am storing a User obejct and checking in the jsp for the availability of the User obejct. If not available redirecting the user to the Login page.

Thanks for your help.

Regards,

Javed.
 
Bear Bibeault
Author and ninkuma
Marshal
Posts: 66141
141
IntelliJ IDE Java jQuery Mac Mac OS X
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
You might also consider doing the test in a filter rather than adding code to every single JSP.
 
Ben Souther
Sheriff
Posts: 13411
Firefox Browser Redhat VI Editor
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Originally posted by Bear Bibeault:
You might also consider doing the test in a filter rather than adding code to every single JSP.


There's a demo app on my site that has just such a filter.
http://simple.souther.us/not-so-simple.html
It's in the SessionMonitor application.

The nice thing about doing this from a filter is that you can restrict access to static resources (HTML pages, images, PDFs, etc..) as well as servlets and JSPs.
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!