Testing Security

Posted on 2003-03-28
Medium Priority
Last Modified: 2010-04-01
Dear Experts,

I have created a JSP which searchs data in the database and shows these data....

This JSP is called from another JSP by sendRedirect command.

But nothing is blocking that this JSP can be called from browser directly....

But I would like to implement some function which must be verify that only authorized users could access this report.

Then I did.....

I've created a helper JSP with the following contents: (HelperSecurity.jsp)
<% HttpSession MM_session = request.getSession(true);

   String MM_conn_TIME_USERNAME = (MM_session.getValue("ssUsername") != null)?MM_session.getValue("ssUsername").toString():"";
   String MM_conn_TIME_PASSWORD = (MM_session.getValue("ssPassword") != null)?MM_session.getValue("ssPassword").toString():"";
     String af = (MM_session.getValue("ssAccountFlag") != null)?MM_session.getValue("ssAccountFlag").toString():"";
     if ((MM_conn_TIME_USERNAME == "") || (MM_conn_TIME_PASSWORD == "")) {
          String loginMessage = "You are not authorized to access this page!&en=003";
          String szLocation = "../errorPage.jsp?em=" + loginMessage;
     if (!af.equals("1"))     {
          String loginMessage = "Your account has expired! Please contact us to reactivate your account.&en=004";
          String szLocation = "../errorPage.jsp?em=" + loginMessage;
        if(!userCanAccessAppl()) /* This routine check in database if the user has permission of execute this JSP */
                String loginMessage = "You can't permission to execute this application!&en=005";
          String szLocation = "../errorPage.jsp?em=" + loginMessage;

I've created another JSP file which refers to the helper JSP: (Report.jsp)
<%@include file="HelperSecurity.jsp"%>

When I've logged in in system, after of valided the user and password I've typed in URL http://<machine_name>:8888/reportWEB/Report.jsp. The system should display the message I can not permission to execute this application, but I'm getting the java.lang.NullPointerException ...

The line which is occurring the exception contains:
Connection ConnRecordsetSecurity = DriverManager.getConnection(MM_conn_TIME_STRING,MM_conn_TIME_USERNAME,MM_conn_TIME_PASSWORD);

How I could to solve this problem?

Question by:cpribeiro
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
LVL 14

Expert Comment

ID: 8228507
You need to learn j2ee web security:

Accepted Solution

Binary1 earned 80 total points
ID: 8240966
If that is the line that is actually causing the problem then one of the parameters is not being set.

You didn't provide all the code so I can only guess as to what is occurring. The request.getSessions(true) call will return the session pointer. If it didn't already exist it will create one and return that. In either of these cases the variables you are trying to retrieve may not have been set. The parameters may be null instead of "" like you are testing for. Remember null is not the same as "".

I would recommend that you verify at the top what your session parameters are and what the actual values are. You are likely running into a situation where they are not being set, or at least not set to what you think they may be.

A couple of recommendations:

Keep the failure message the same, regardless of the reason for not allowing them to access it. By providing a different failure message for each "situation" you are allowing users a chance to begin to figure out how your application works, and more of a problem, how to maybe circumvent it.

Instead of using a redirect use a <jsp:forward...>. This also helps prevent the user from gleaming information about your application. It also allows you to more easily change and modify it without necessarily impacting large parts of the system. Some systems can also be configured to ignore redirects. This may cause problems with some of your users.

Perform your database access and retrieval from one or more Java Beans. This helps to remove the database logic from your JSP pages, which will help improve maintainability and component reuse.

If you're using session values don't recalculate everything every time. During the initial login you should be able to determine whether they have access to this application or not. You should consider whether it would be better to set a session variable to denote whether they have access or not instead of redetermining it everytime.

Your use of <%@include...> may cause problems if you are not careful. The include directive includes the specified file when the including JSP file is initially compiled. Any changes to the HelperSecurity.jsp file will not be included in your Report.jsp file unless you also force a recompile on it. If you are going to be making changes to the HelperSecurity.jsp file you may want to consider using the include action <jsp:include...>. The drawback to this is that it is re-translated EVERY time that the page is loaded.

Redirects and forwards can cause problems if the WebServer has already sent data to the client. You show the HelperSecurity.jsp file being included after the <body> tag of the Report.jsp file. If you are going to send a redirect or forward then all of that processing should be done before the HTML <html> tag. Most systems default to an 8K buffer that may save you but it will likely cause problems sooner or later depending on how your HTML data is constructed.
LVL 35

Expert Comment

ID: 10060922
No comment has been added lately, so it's time to clean up this TA.
I will leave a recommendation in the Cleanup topic area that this question is:

- Points to Binary1

Please leave any comments here within the next seven days.


EE Cleanup Volunteer

Featured Post

On Demand Webinar: Networking for the Cloud Era

Ready to improve network connectivity? Watch this webinar to learn how SD-WANs and a one-click instant connect tool can boost provisions, deployment, and management of your cloud connection.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Check out the latest tech news, community articles, and expert highlights in August's newsletter.
Hey fellow admins! This time, I have a little fairy tale for you. As many tales do, it starts boring and then gets pretty gory. I hope you like it. TL;DR: It is about an important security matter, you should read it if you run or administer Windows …
In this video you will find out how to export Office 365 mailboxes using the built in eDiscovery tool. Bear in mind that although this method might be useful in some cases, using PST files as Office 365 backup is troublesome in a long run (more on t…
In this video, Percona Solutions Engineer Barrett Chambers discusses some of the basic syntax differences between MySQL and MongoDB. To learn more check out our webinar on MongoDB administration for MySQL DBA: https://www.percona.com/resources/we…

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question