This week's book giveaway is in the Jython/Python forum.
We're giving away four copies of Murach's Python Programming and have Michael Urban and Joel Murach on-line!
See this thread for details.
Win a copy of Murach's Python Programming this week in the Jython/Python forum!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic

Page restriction if not logged in  RSS feed

 
Rob Ko
Greenhorn
Posts: 8
Tomcat Server
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hey :)

I have a little burning project problem >.>

First the user shall authenticate with a tan
--> if the tan is wrong: error page
--> if correct : show the form

and then a strict order --> show the form solved --> page with send form button --> page with confirmation, that the form was send

but currently you can jump over the authentication direct to the other pages

my bean is session scoped:


A quick and simple solution would be awesome.

Greetings
Rob

edit:
this looks pretty interesting:
http://brendangraetz.wordpress.com/2010/06/17/use-servlet-filters-for-user-authentication/
but I don't really understand what he means by:
"Subclass the `LoginFilter` as a concrete class, `MemberLoginFilter`, by implementing the `isAuth` method"

edit2:
another solution could be:
http://thierrywasyl.wordpress.com/2009/06/22/create-your-own-filter-in-jsf/
worked nearly perfect, but after login and filling out the firm, you return back to the login ._.
 
Tim Holloway
Bartender
Posts: 18531
61
Android Eclipse IDE Linux
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Jumping over authorizations is one of the most common forms of security exploits and is the Number 1 reason why I discourage people from creating their own security subsystems.

If you want a "simple" way to avoid this, don't write your own login or security code. Use the system that's part of the J2EE standard. It's based on URL patterns, and if a URL matches a secured pattern the server will immediately force a login and not even allow the URL to reach the web application unless they pass authentication and authorization.
 
Thomas Snyder
Greenhorn
Posts: 9
Java Python Ruby
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Rob,

I've done this using Glassfish, a Life Cycle to check for roles, and a login bean. The life cycle looks like this:



The life cycle above is ran every time someone visits a page on your site. I used this to check if the user had roles to be on the page by having a database with the username and roles table assigned to them. This process is put in the afterPhase and you'll have to write code to check your database. You don't have to use this, but it's a good check if you like to prevent people from jumping pages that have certain roles or protect certain folders. Don't use this for logging in though. Tim is right when he says use the J2EE for logging in. I think more of what you are looking for is plan old logging in. In Glassfish, all you need to do is create users within the realm, mod the web.xml to throw the user to the login page, login controller, and a login bean.

LoginBean.java


LoginController.java (This is exposed so you can use it on your pages)

web.xml


In glassfish, if you want the login to be checked against the realm, make sure it matches in the web.xml where it says <realm-name>file</realm-name>.
 
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!