0

How in Java Web application to restrict direct access to secure pages for not admins roles? For example I have in my application 350-500 URLs and I want to hide 20-30 of them and permit access to them only for admin role. What is best way to solve this problem? What is best practice for this case?

May be I need group necessary URLs by single beginning URI? Or somehow using web.xml properties? Or it is enough using saving role of logged user in session and using servlet filter? Problem in that case is I need sort out each secure URL. But there may be many in future...

I think all are facing this problem. Give me the standard and simple solutions of this situation please! Thanks in advance!

I will be grateful for any advices and tips!

Michael
  • 1,152
  • 6
  • 19
  • 36
  • 1
    Start [here](http://docs.oracle.com/javaee/6/tutorial/doc/bncas.html). This is all part of the JavaEE spec, don't reinvent the wheel. – Boris the Spider Jun 01 '14 at 20:07

3 Answers3

1

You can try below options

Yes you can group necessary URLs by single beginning URI that can be filtered by a filter as suggested above.

It's worth reading The Java EE 6 Tutorial - Security that explores security concepts and examples

Community
  • 1
  • 1
Braj
  • 46,415
  • 5
  • 60
  • 76
0

You can take a look here..http://viralpatel.net/blogs/tutorial-java-servlet-filter-example-using-eclipse-apache-tomcat/

You need to group them somehow in a specific folder. Than You should create a filter like in the link.. The filter will get anything that in the pattern /admin/(Suppose your pages will be there)

Inside the filter you just need to add the condition.. 

If(!admin) {
    /Redirect to anywhere you want
}

You can use something more sufisticated like spring security, This thing will have the logic inside and you just need to set you roles.. Which i think will be better solution, But will take more time if you are not familiar with Spring

Hope that helps

Aviad
  • 1,539
  • 1
  • 9
  • 24
0

For a very simple application it will certainly be overkill, but if allready using SpringFramework, you could have a look at Spring Security. It deals with authentication, with many possibilies, and can have very simple or very sophisticated authorization rules.

Apache Shiro is also a simpler (but less powerful) alternative.

Serge Ballesta
  • 143,923
  • 11
  • 122
  • 252