Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 376
  • Last Modified:

creating sessions using Java (urgent...)

I have a servlet which checks the login and directs a user to the specified JSP page. The users are given links to other pages acording to their login specification.

E.g admin users can view almost all JSP pages
Senior users can view most of the JSP pages
Juniors are restricted to view a min. no of pages

How can i create sesssions to restrict users only to view their valid JSP pages, Servlets. Can somebody pls. send me a sample code ???

Part of the code for the Login servlet is displayed below.


                        if(rs.next())
                        {

                          // Authenticated Administrator is directed to Admin.jsp

                          if (user.toLowerCase().startsWith("admin"))
                          {
                           res.sendRedirect("/Admin.jsp");
                          }
                          else
                          {
                            String data = rs.getString("Allowupdate").trim().toLowerCase();

                            // Authenticated Senior user is directed to Snruser.jsp

                            if (data.equals("yes"))
                            {
                              res.sendRedirect("/Snruser.jsp");
                            }

                            // Authenticated Junior user is directed to Jnruser.jsp

                            else if (data.equals("no"))
                            {
                              res.sendRedirect("/Jnruser.jsp");
                            }

                            // Error page !!!

                            else
                            {
                              res.sendRedirect("/Logerr.jsp");
                            }
                          }
                       }

                       // Invalid login

                       else
                        {
                          res.sendRedirect("/Logerr.jsp");
                        }


Rgds,
gkt_80.

0
gkt_80
Asked:
gkt_80
1 Solution
 
cheekycjCommented:
The ideal way would be to use realms and roles.

But I think for simplicity sake you can just create a list of pages or URLs that a certain role can access.  when a user logs in, create a session var that indicates their role.  Your code that checks if the user is logged in-  should be modified to also check the role of the user.

CJ
0
 
kennethxuCommented:
how to setup web application security:
http://www.onjava.com/pub/a/onjava/2001/08/06/webform.html

you code will looks like:

if (request.isUserInRole("admin") {
  res.sendRedirect("/Admin.jsp");
} else if (request.isUserInRole("senior") {
  res.sendRedirect("/Snruser.jsp");
} else if (request.isUserInRole("junior") {
  res.sendRedirect("/Jnruser.jsp");
} else {
  // error
}
0
 
Commodus2Commented:
You can add a session var of the user's status just before you redirect the user.

Session.setAttribute("level","senior");
(senior can be one the other levels)

you must check the session's "level" var on top of each page to see if the user has the rights to see the page.

mayby this is not at all what you mean...
ah well.... it a shot.

Commodus2
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
gkt_80Author Commented:
// This code continues from my previous comments.


I use the following code in the login servlet.

if (user.toLowerCase().startsWith("admin"))
{
     user = "ADMIN";
     ses.setAttribute("group",user);
     res.sendRedirect("/Admin.jsp");
}

Similarly i have created user groups Senior & Junior for the other 2 levels and direct them to the relevant pages.
I check the authentication on each page as follows. The follwing is displayed on a page accessed by the Admin.
E.g.

<%

String level = (request.getSession().getAttribute("group")).toString();

if (level =="ADMIN")
{
}
else
{
     response.sendRedirect("Error.jsp");
}

%>


When the user / admin log-off the following is in the logoff page.

<%

request.getSession().removeAttribute("group");
request.getSession().invalidate();

%>


But after loging off, when the 'Back' button is clicked the previous page is displayed. I can i prevent this and send the user to an error page.

Can somebody help.........(urgent !!!)

Rgds,
Gkt_80.
0
 
kennethxuCommented:
when you click back button on browser, the browser simple display whatever it got before. unless you expire every page:

<%
response.setHeader("Pragma", "No-cache");
response.setDateHeader("Expires", 0);
response.setHeader("Cache-Control", "no-cache");
%>
0
 
girionisCommented:
No comment has been added lately, so it's time to clean up this TA.
I will leave a recommendation in the Cleanup topic area that this question is:

- Points to kennethxu

Please leave any comments here within the next seven days.

PLEASE DO NOT ACCEPT THIS COMMENT AS AN ANSWER!

girionis
EE Cleanup Volunteer
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now