Hi All,

We have an application having large number of JSP pages and servlets. Is there any easy way to impose page level authorization without having to go to each page to set it up?
i.e. If the user somehow gets to figure out the URL of some page to which he has no access, then an error message should be shown to him.

Thanks!

Filters.

Thanks for the quick response.

But the problem in implementing this solution is - How do we uniquely identify a JSP page? I guess, the servlet filter has to be implemented in such a way that it will read the jsp's unique identifier and then check whether the user is authorized to access it or not. But, for this approach, we will have to go to each of the hundreds of JSPs and assign it a unique identifier.
Is there a better way to handle it so that it can be done with less effort ?

Thanks

You shouldn't be addressing JSPs at all -- you should be addressing the page controller for the JSP. Or are you still following Model 1?

In any case, the filter can identify the target by its unique URL.

You can protect the URLs using security -constraint tags in web.xml file
<security-constraint> <web-resource-collection> <web-resource-name></web-resource-name> <url-pattern>your JSP URL pattern</url-pattern> <url-pattern>/your servlet URL pattern</url-pattern> </web-resource-collection> <auth-constraint> role-name>admin</role-name> </auth-constraint> </security-constraint>

regards
Ma

That assumes container-based authentication. And it's hard to apply on a page by page basis.

I agree. But what I understand from mail is that , the developer is trying to apply high level authorisation to the URL (allow/deny).

If all my jsps are in the path : /jsp/example/ I can still uses security-constraint tag to protect /jsp/example/*.jsp same way for Servlets.

regards
Ma

There is a very simple solution override the HttpServletResponse's sendredirect method using HttpServletResponseWrapper. You can write your own customized redirect method .