• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Jeanne Boyarsky
  • Liutauras Vilda
  • Campbell Ritchie
  • Tim Cooke
  • Bear Bibeault
Sheriffs:
  • Paul Clapham
  • Junilu Lacar
  • Knute Snortum
Saloon Keepers:
  • Ron McLeod
  • Ganesh Patekar
  • Tim Moores
  • Pete Letkeman
  • Stephan van Hulst
Bartenders:
  • Carey Brown
  • Tim Holloway
  • Joe Ess

block jsp page  RSS feed

 
Ranch Hand
Posts: 174
3
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
how to block a jsp page
(i want is ,when I click the links to redirect each pages I want to block some specific pages for specific users)
I create an java script function to retrieve the jsp pages of each users(pages that user can access).But I have no idea to block other pages for the same user)
 
Rancher
Posts: 1878
15
Android Eclipse IDE Java Java ME
  • Likes 1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Why java script?  Why not handle it from server based upon some user specific role/token?
 
Saloon Keeper
Posts: 4697
117
  • Likes 1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Indeed, JavaScript plays no role in this, not least because whatever you do  on the client side can be circumvented. You should look into servlet security (commonly set up in web.xml) as described in https://coderanch.com/wiki/659865/Servlets-Faq#security
 
chamini prashakthi
Ranch Hand
Posts: 174
3
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
found a solution  :jumpingjoy:
first disable all links



then check the user has/or not the permission for access the link.(validations)
if user had then enable the link.


 
Rancher
Posts: 3596
39
  • Likes 2
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
You do realise that someone can simply open their browser's debugging tools and change that 'none' to 'block' and get access to that link with almost no effort?

That is why security sits on the server.
 
Tim Moores
Saloon Keeper
Posts: 4697
117
  • Likes 2
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator

found a solution


No, you didn't. By merely hiding the link you're implementing "security by obscurity", which is not secure at all. Especially as an attacker will see what is hidden, and how it's hidden, in the page source. You also need to implement proper access control on the server, otherwise this scheme can be easily hacked.
 
Bartender
Posts: 19668
92
Android Eclipse IDE Linux
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Stuff like this is why I maintain that over 95% of the "Do-it-Yourself" web application security systems out there are no more secure than wet tissue paper.

Being Clever isn't enough. Security is hard and unless you are a trained security professional, you really shouldn't even try to invent your own security system. Nor should the resident genius at the place where you work.

The J2EE/JEE spec defines a security framework that has an excellent security record, and it's simple to use - it mostly enforces security from the outside in, preventing attackers from gaining access to application code even before they can attempt to exploit it and it blocks attacks from all sources and directions.

Use it.
 
Author and ninkuma
Marshal
Posts: 66787
168
IntelliJ IDE Java jQuery Mac Mac OS X
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator

Tim Holloway wrote:Being Clever isn't enough.


This isn't even being clever. It is, in fact, quite naive as pointed out.
 
Don't get me started about those stupid light bulbs.
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!