• Post Reply Bookmark Topic Watch Topic
  • New Topic

block jsp page  RSS feed

 
Ranch Hand
Posts: 170
3
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
how to block a jsp page
(i want is ,when I click the links to redirect each pages I want to block some specific pages for specific users)
I create an java script function to retrieve the jsp pages of each users(pages that user can access).But I have no idea to block other pages for the same user)
 
Rancher
Posts: 1853
15
Android Eclipse IDE Java Java ME
  • Likes 1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Why java script?  Why not handle it from server based upon some user specific role/token?
 
Saloon Keeper
Posts: 4426
108
  • Likes 1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Indeed, JavaScript plays no role in this, not least because whatever you do  on the client side can be circumvented. You should look into servlet security (commonly set up in web.xml) as described in https://coderanch.com/wiki/659865/Servlets-Faq#security
 
chamini prashakthi
Ranch Hand
Posts: 170
3
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
found a solution  :jumpingjoy:
first disable all links



then check the user has/or not the permission for access the link.(validations)
if user had then enable the link.


 
Rancher
Posts: 3456
39
  • Likes 2
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
You do realise that someone can simply open their browser's debugging tools and change that 'none' to 'block' and get access to that link with almost no effort?

That is why security sits on the server.
 
Tim Moores
Saloon Keeper
Posts: 4426
108
  • Likes 2
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator

found a solution


No, you didn't. By merely hiding the link you're implementing "security by obscurity", which is not secure at all. Especially as an attacker will see what is hidden, and how it's hidden, in the page source. You also need to implement proper access control on the server, otherwise this scheme can be easily hacked.
 
Bartender
Posts: 19378
87
Android Eclipse IDE Linux
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Stuff like this is why I maintain that over 95% of the "Do-it-Yourself" web application security systems out there are no more secure than wet tissue paper.

Being Clever isn't enough. Security is hard and unless you are a trained security professional, you really shouldn't even try to invent your own security system. Nor should the resident genius at the place where you work.

The J2EE/JEE spec defines a security framework that has an excellent security record, and it's simple to use - it mostly enforces security from the outside in, preventing attackers from gaining access to application code even before they can attempt to exploit it and it blocks attacks from all sources and directions.

Use it.
 
Author and ninkuma
Marshal
Posts: 66617
161
IntelliJ IDE Java jQuery Mac Mac OS X
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator

Tim Holloway wrote:Being Clever isn't enough.


This isn't even being clever. It is, in fact, quite naive as pointed out.
 
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!