• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Tim Cooke
  • paul wheaton
  • Ron McLeod
  • Jeanne Boyarsky
Sheriffs:
  • Paul Clapham
Saloon Keepers:
  • Tim Holloway
  • Roland Mueller
Bartenders:

Page level authorization

 
Greenhorn
Posts: 12
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi All,

We have an application having large number of JSP pages and servlets. Is there any easy way to impose page level authorization without having to go to each page to set it up?
i.e. If the user somehow gets to figure out the URL of some page to which he has no access, then an error message should be shown to him.

Thanks!
 
Sheriff
Posts: 67756
173
Mac Mac OS X IntelliJ IDE jQuery TypeScript Java iOS
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Filters.
 
Preeti Prabhakar
Greenhorn
Posts: 12
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Thanks for the quick response.

But the problem in implementing this solution is - How do we uniquely identify a JSP page? I guess, the servlet filter has to be implemented in such a way that it will read the jsp's unique identifier and then check whether the user is authorized to access it or not. But, for this approach, we will have to go to each of the hundreds of JSPs and assign it a unique identifier.
Is there a better way to handle it so that it can be done with less effort ?

Thanks
 
Bear Bibeault
Sheriff
Posts: 67756
173
Mac Mac OS X IntelliJ IDE jQuery TypeScript Java iOS
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
You shouldn't be addressing JSPs at all -- You should be addressing the page controller for the JSP. Or are you still following Model 1?

In any case, the filter can identify the target by its unique URL.
 
Ranch Hand
Posts: 42
Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

You can protect the URLs using security -constraint tags in web.xml file


regards
Ma

 
Bear Bibeault
Sheriff
Posts: 67756
173
Mac Mac OS X IntelliJ IDE jQuery TypeScript Java iOS
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
That assumes container-based authentication. And it's hard to apply on a page by page basis.
 
Manjesh Patil
Ranch Hand
Posts: 42
Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I agree. But what I understand from mail is that , the developer is trying to apply high level authorisation to the URL (allow/deny).

If all my jsps are in the path : /jsp/example/ I can still uses security-constraint tag to protect /jsp/example/*.jsp same way for Servlets.

regards
Ma
 
Ranch Hand
Posts: 83
Netbeans IDE MySQL Database Ubuntu
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
There is a very simple solution override the HttpServletResponse's sendredirect method using HttpServletResponseWrapper. You can write your own customized redirect method .
 
Don't get me started about those stupid light bulbs.
reply
    Bookmark Topic Watch Topic
  • New Topic