• Post Reply Bookmark Topic Watch Topic
  • New Topic

Webapp user login/security  RSS feed

 
Kevin P Smith
Ranch Hand
Posts: 362
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I have been looking at creating a simple app and have been looking at the best way to try to secure the user's persoanl pages, this is a brief description of what
I have, I was just wondering if anyone could see any glaringly obvious issues with this, or in fact if there is a prefered/recommended better way of doing this?

Summary:-
---------------
Pages (regular):
/pages/unsecure/signin/enterdetails.jsp
/pages/unsecure/register/enterdetails.jsp
/pages/unsecure/register/confirmdetails.jsp

Pages (secure):
/pages/secure/mypage.jsp
/pages/secure/profile/view.jsp
/pages/secure/profile/edit.jsp

Pages (common to both):
/pages/common/footer.jsp

URLs (mapped in web.xml)
/signin: initParam = /pages/unsecure/signin/enterdetails.jsp
/register: initParam = /pages/unsecure/register/enterdetails.jsp

/secure/mypage: initParam = /pages/secure/mypage.jsp

I then have a Filter class with urlPattern "/pages/secure/*"

So if user click URL pattern '/register' nothing happens but if they click for example '/secure/mypage' the Filter checks to see if
there is a session attribute called 'AUTHENTICATED' and that's it's set to 'true' if it is it redirects to '/secure/mypage' otherwise to '/signin'.

I have also done it this so that if a user tries to type in something like /pages/secure/mypage.jsp
manually, then again (providing there is no AUTHENTICATED attribute) they will be redirected to '/signin'.

Is there any glaringly obvious flaw with this? It seems to work to me, but login security is something I am new
to and was just wondering if anyone could see an obvious issue as "Oh if a user does XYZ they can bypass this easily"

I know it's probably a long shot without source code, but you get the idea (theory) of what I am doing.

Thanks for any responses KS
 
Rob Spoor
Sheriff
Posts: 21095
85
Chrome Eclipse IDE Java Windows
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Moving to our JSP forum.
 
Bear Bibeault
Author and ninkuma
Marshal
Posts: 66207
151
IntelliJ IDE Java jQuery Mac Mac OS X
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Firstly, URLs that directly address JSPs indicate that you are not following accepted best practices for web app design.

Aside from that, I think that using client-initiated information to determine whether a page should be treated securely or not is an opening for trouble. I'm not a security expert, so I can't say just what, but I always use information that's only available on the server, and never viewable by the client, to make such decisions.
 
Kevin P Smith
Ranch Hand
Posts: 362
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thanks for the response, I understand what you're saying about the client-side of things but I can't really see how else to tell the web app that these are seure pages (like: /pages/secure/mypage.jsp)
 
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!