2

I'm working on an intranet-only web application (J2EE) that requires some basic security features. There will be relatively few authorized users for the site, but I still need to implement some sort of secure session.

The basic flow I'm looking at is visit site => log in => use site => log out when done (or automatically log out when the browser is closed). Nothing fancy at all, not even a "remember me" option when logging in. Most of the work for authentication is already done - the site is accessible only over https, and I have a database which stores usernames and (encrypted) passwords.

So, once the user has logged in, what's the simplest (ideally no cookies beyond whatever JBoss/JSPs would do behind the scenes) way to implement a secure session? I.E. prevent users from just directly requesting pages beyond the login screen, etc.

Is it just a matter of checking the session for some "isUserAuthenticated"-like value, checking that the session exists (e.g. request.getSession(false)) for all incoming requests in my servlet? What about preventing users from getting JSP files and forcing them to use a servlet for all requests? Any other considerations (and their solutions)?

BalusC
  • 1,082,665
  • 372
  • 3,610
  • 3,555
Matt Ball
  • 354,903
  • 100
  • 647
  • 710
  • For the first part, you might want to check http://stackoverflow.com/questions/348090/ensuring-users-are-authenticated-in-java-web-app – Pascal Thivent Nov 19 '09 at 18:12
  • That's definitely the type of thing I had in mind. Not that it's elegant (I'm guessing I would just check that value at every page request), but it seems very minimal. – Matt Ball Nov 19 '09 at 18:19
  • I've addressed your questions in a comment - please take a look. While it's obviously your choice on how to implement this, keep in mind that while there is some learning curve involved with doing this "the right way", it's actually easier and simpler at the end (we're literally talking about maybe 15-20 lines of XML; that's it). – ChssPly76 Nov 19 '09 at 18:28
  • BTW, I'm not saying the accepted answer is the right way to do this, I prefer the `security-constraint` way. – Pascal Thivent Nov 19 '09 at 18:41

1 Answers1

6

Sounds like you can use simple declarative security approach.

Take a look at Java EE Tutorial section for Securing Web Applications , particularly at declarative security section

To address your specific questions:

What's the simplest ... way to implement a secure session? I.E. prevent users from just directly requesting pages beyond the login screen, etc.

Declare your URLs in webapp descriptor (web.xml) with an appropriate security role. They'll be inaccessible to unauthorized users (and attempt to access them will bring forth a login page).

Is it just a matter of checking the session for some "isUserAuthenticated"-like value, checking that the session exists (e.g. request.getSession(false)) for all incoming requests in my servlet?

All that will be completely unnecessary; servlet container will do it for you behind the scenes.

What about preventing users from getting JSP files and forcing them to use a servlet for all requests?

As long as JSPs never need to be accessed publicly (e.g. you're forwarding to them from within your servlet; you're never redirecting to a JSP) you can declare their URLs in a collection with security role that is never actually assigned to a user.

ChssPly76
  • 99,456
  • 24
  • 206
  • 195
  • I've looked at using the DD for security before, and it seemed like overkill. I really don't have multiple security roles, or anything like that; just valid (or invalid) username/password combinations. With declarative security, how do I (as a Java programmer) inform the server that a particular username/password is or is not valid for a particular login attempt? The tutorial also says" When creating a form-based login, be sure to maintain sessions using cookies or SSL session information," which is what I'm trying to avoid. – Matt Ball Nov 19 '09 at 18:14
  • You don't have to have multiple roles, one is enough (two if you want to restrict JSPs). How you determine whether user / password is valid is container-specific; for Tomcat you can do that by specifying a realm (http://tomcat.apache.org/tomcat-6.0-doc/realm-howto.html#JDBCRealm) or writing your own. I'm not sure what you mean by "avoid cookies" - session has to be maintained somehow (container deals with cookies, not you). If cookies are unacceptable you can use url rewriting (details are in tutorial link) – ChssPly76 Nov 19 '09 at 18:25
  • As long as the container deals with cookies, that's fine. I think rolling my own user/pw validation is the way to go (since it's done already) - but how do I communicate this to the container? I'm using JBoss, so I guess that means the container is Tomcat. – Matt Ball Nov 19 '09 at 18:56
  • For Tomcat it's very easy - you just need to specify a realm in context configuration (there's a link to documentation in my comment above). For JBoss (if you're using only servlets / JSP why do you need full app server?) it's a bit more involved. You need to configure a datasource (which you may already have done) and an appropriate LoginModule (http://www.jboss.org/community/wiki/DatabaseServerLoginModule). Take a look at this (http://docs.jboss.org/jbossas/getting_started/v4/html/dukesbank.html) for a more comprehensive tutorial. – ChssPly76 Nov 19 '09 at 19:08
  • @ChssPly76 I already learning this and I create session and set attribute like this. `session.setAttribute("user", user);` I logged in two different browser by different user. But when I get JSESSIONID from one browser and paste it in another browser user's JSESSIONID (using browser jessesion editor extension) then I was able to access other user's profile. Why? any help? – Asif Mushtaq Oct 14 '15 at 15:13