7

I have a web application in which when users login they reach the mainjsp.jsp page.

In this page there are few text-box for dates and based on dates and selection from another drop-down, data is submitted. This data is retrieved by a servlet and brought back to the mainjsp page.

My concern is about security. Now when I copy paste the mainjsp.jsp page's URL and paste it in any browser this page appears as it is. I don't want this to happen. I want the users to login first and hence I want my web application secure.

I don't have any idea how to do this. Could you please tell me how can I achieve this?

Also please tell me how do I achieve this for any of the pages in the web-application. Users should not be able to access any page if they haven't logged in.

Prakash K
  • 11,669
  • 6
  • 51
  • 109
Reuben Kurian
  • 123
  • 1
  • 2
  • 12
  • use some authorization and authentication framework like spring security, JASS etc. – Umesh Awasthi Mar 13 '12 at 06:08
  • cant i do something here with jsp and servlets?i havent worked on spring or jass..or cud u provide me some detail to look up on springs to implement this? – Reuben Kurian Mar 13 '12 at 06:16
  • what has been described in the answer will provide a basic level of security but you want a role based security model Spring security and JASS are the way to go. A good starting point is official doc. http://static.springsource.org/spring-security/site/ – Umesh Awasthi Mar 13 '12 at 06:27
  • +1 to reverse a -1 without a comment. but I assume the reasons were: no line breaks / formatting, a too wide / subjective question, and SMS writing (abt, whn, tht, teh). please try to correct these in the future to get more quality answers – Eran Medan May 08 '12 at 14:15

6 Answers6

4

You should have Form based authentication. Here is the snippet which should be added to your web.xml

<security-constraint>
    <web-resource-collection>
        <web-resource-name>pagesWitUnrestrictedAccess</web-resource-name>
        <description>No Description</description>
        <url-pattern>*.jsp</url-pattern>
    </web-resource-collection>
    <user-data-constraint>
        <description>No Description</description>
        <transport-guarantee>NONE</transport-guarantee>
    </user-data-constraint>
</security-constraint>


<login-config>
    <auth-method>FORM</auth-method>
    <form-login-config>
        <form-login-page>/login.jsp</form-login-page>
        <form-error-page>/loginerror.jsp</form-error-page>
    </form-login-config>
</login-config>

Some References:

Ramesh PVK
  • 15,200
  • 2
  • 46
  • 50
2

You may check Shiro to use out-of-box security framework and prevent advanced security tricky in web environment.

Mike Lue
  • 839
  • 4
  • 8
0

Use sessions. Set a session variable on a login and check that on every page you have to make secure.

Mazhar
  • 306
  • 3
  • 8
0

When user enters credentials and submit it to a login servlet, add the user name or user id in session. Check the session attribute in application's header (so on every page) that is user name or user id exist in session? If yes then redirect it to requested page otherwise redirect user to login.jsp. for example:

String var= null;
try {
    var= (String) session.getAttribute("user_name_session");
    if (var== null) {
        response.sendRedirect("/Login.jsp");
        return;
    }
} 
catch (Exception e) {
    System.out.println(e);
}

You can modify the snippet as per your requirements, this is the simplest way for preventing user to go on any page via copying the link into another browser.

Ravi Chhatrala
  • 324
  • 4
  • 14
0

this really best way to convert HTTP request into HTTPS request

http://middlewaremagic.com/weblogic/?p=2019

Karan
  • 557
  • 6
  • 17
0

Spring Security 3 is powerful and easy to configure

http://static.springsource.org/spring-security/site/docs/3.0.x/reference/ns-config.html#ns-minimal

AdrianS
  • 1,980
  • 7
  • 33
  • 51