Win a copy of Java Mock Exams (software) this week in the Programmer Certification (OCPJP) forum!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic

block jsp page

 
chamini prashakthi
Ranch Hand
Posts: 106
3
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
how to block a jsp page
(i want is ,when I click the links to redirect each pages I want to block some specific pages for specific users)
I create an java script function to retrieve the jsp pages of each users(pages that user can access).But I have no idea to block other pages for the same user)
 
Swastik Dey
Rancher
Posts: 1721
8
Android Eclipse IDE Java Java ME
  • Likes 1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Why java script?  Why not handle it from server based upon some user specific role/token?
 
Tim Moores
Saloon Keeper
Posts: 3326
61
  • Likes 1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Indeed, JavaScript plays no role in this, not least because whatever you do  on the client side can be circumvented. You should look into servlet security (commonly set up in web.xml) as described in https://coderanch.com/wiki/659865/Servlets-Faq#security
 
chamini prashakthi
Ranch Hand
Posts: 106
3
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
found a solution  :jumpingjoy:
first disable all links



then check the user has/or not the permission for access the link.(validations)
if user had then enable the link.


 
Dave Tolls
Ranch Hand
Posts: 2369
25
  • Likes 2
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
You do realise that someone can simply open their browser's debugging tools and change that 'none' to 'block' and get access to that link with almost no effort?

That is why security sits on the server.
 
Tim Moores
Saloon Keeper
Posts: 3326
61
  • Likes 2
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
found a solution

No, you didn't. By merely hiding the link you're implementing "security by obscurity", which is not secure at all. Especially as an attacker will see what is hidden, and how it's hidden, in the page source. You also need to implement proper access control on the server, otherwise this scheme can be easily hacked.
 
Tim Holloway
Bartender
Posts: 18469
61
Android Eclipse IDE Linux
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Stuff like this is why I maintain that over 95% of the "Do-it-Yourself" web application security systems out there are no more secure than wet tissue paper.

Being Clever isn't enough. Security is hard and unless you are a trained security professional, you really shouldn't even try to invent your own security system. Nor should the resident genius at the place where you work.

The J2EE/JEE spec defines a security framework that has an excellent security record, and it's simple to use - it mostly enforces security from the outside in, preventing attackers from gaining access to application code even before they can attempt to exploit it and it blocks attacks from all sources and directions.

Use it.
 
Bear Bibeault
Author and ninkuma
Marshal
Posts: 65661
129
IntelliJ IDE Java jQuery Mac Mac OS X
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Tim Holloway wrote:Being Clever isn't enough.

This isn't even being clever. It is, in fact, quite naive as pointed out.
 
What are you doing? You are supposed to be reading this tiny ad!
the new thread boost feature brings a LOT of attention to your favorite threads
https://coderanch.com/t/674455/Thread-Boost-feature
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!