Only 44 hours left in the trailboss' kickstarter!

New rewards and stretch goals. CLICK HERE!



Win a copy of Murach's Python Programming this week in the Jython/Python forum!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic

block jsp page  RSS feed

 
chamini prashakthi
Ranch Hand
Posts: 118
3
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
how to block a jsp page
(i want is ,when I click the links to redirect each pages I want to block some specific pages for specific users)
I create an java script function to retrieve the jsp pages of each users(pages that user can access).But I have no idea to block other pages for the same user)
 
Swastik Dey
Rancher
Posts: 1776
13
Android Eclipse IDE Java Java ME
  • Likes 1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Why java script?  Why not handle it from server based upon some user specific role/token?
 
Tim Moores
Saloon Keeper
Posts: 3511
77
  • Likes 1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Indeed, JavaScript plays no role in this, not least because whatever you do  on the client side can be circumvented. You should look into servlet security (commonly set up in web.xml) as described in https://coderanch.com/wiki/659865/Servlets-Faq#security
 
chamini prashakthi
Ranch Hand
Posts: 118
3
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
found a solution  :jumpingjoy:
first disable all links



then check the user has/or not the permission for access the link.(validations)
if user had then enable the link.


 
Dave Tolls
Ranch Hand
Posts: 2504
27
  • Likes 2
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
You do realise that someone can simply open their browser's debugging tools and change that 'none' to 'block' and get access to that link with almost no effort?

That is why security sits on the server.
 
Tim Moores
Saloon Keeper
Posts: 3511
77
  • Likes 2
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
found a solution

No, you didn't. By merely hiding the link you're implementing "security by obscurity", which is not secure at all. Especially as an attacker will see what is hidden, and how it's hidden, in the page source. You also need to implement proper access control on the server, otherwise this scheme can be easily hacked.
 
Tim Holloway
Bartender
Posts: 18531
61
Android Eclipse IDE Linux
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Stuff like this is why I maintain that over 95% of the "Do-it-Yourself" web application security systems out there are no more secure than wet tissue paper.

Being Clever isn't enough. Security is hard and unless you are a trained security professional, you really shouldn't even try to invent your own security system. Nor should the resident genius at the place where you work.

The J2EE/JEE spec defines a security framework that has an excellent security record, and it's simple to use - it mostly enforces security from the outside in, preventing attackers from gaining access to application code even before they can attempt to exploit it and it blocks attacks from all sources and directions.

Use it.
 
Bear Bibeault
Author and ninkuma
Marshal
Posts: 65824
134
IntelliJ IDE Java jQuery Mac Mac OS X
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Tim Holloway wrote:Being Clever isn't enough.

This isn't even being clever. It is, in fact, quite naive as pointed out.
 
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!