Testing Security

Dear Experts,

I have created a JSP which searchs data in the database and shows these data....

This JSP is called from another JSP by sendRedirect command.

But nothing is blocking that this JSP can be called from browser directly....

But I would like to implement some function which must be verify that only authorized users could access this report.

Then I did.....

I've created a helper JSP with the following contents: (HelperSecurity.jsp)
...
<% HttpSession MM_session = request.getSession(true);

   String MM_conn_TIME_USERNAME = (MM_session.getValue("ssUsername") != null)?MM_session.getValue("ssUsername").toString():"";
   String MM_conn_TIME_PASSWORD = (MM_session.getValue("ssPassword") != null)?MM_session.getValue("ssPassword").toString():"";
     
     String af = (MM_session.getValue("ssAccountFlag") != null)?MM_session.getValue("ssAccountFlag").toString():"";
     if ((MM_conn_TIME_USERNAME == "") || (MM_conn_TIME_PASSWORD == "")) {
          String loginMessage = "You are not authorized to access this page!&en=003";
          String szLocation = "../errorPage.jsp?em=" + loginMessage;
          response.sendRedirect(szLocation);
     }
     if (!af.equals("1"))     {
          String loginMessage = "Your account has expired! Please contact us to reactivate your account.&en=004";
          String szLocation = "../errorPage.jsp?em=" + loginMessage;
          response.sendRedirect(szLocation);
     }
        if(!userCanAccessAppl()) /* This routine check in database if the user has permission of execute this JSP */
        {
                String loginMessage = "You can't permission to execute this application!&en=005";
          String szLocation = "../errorPage.jsp?em=" + loginMessage;
          response.sendRedirect(szLocation);
     }
       
 ....

I've created another JSP file which refers to the helper JSP: (Report.jsp)
....
<body>
<%@include file="HelperSecurity.jsp"%>
.....

When I've logged in in system, after of valided the user and password I've typed in URL http://<machine_name>:8888/reportWEB/Report.jsp. The system should display the message I can not permission to execute this application, but I'm getting the java.lang.NullPointerException ...

The line which is occurring the exception contains:
......
Connection ConnRecordsetSecurity = DriverManager.getConnection(MM_conn_TIME_STRING,MM_conn_TIME_USERNAME,MM_conn_TIME_PASSWORD);
...

How I could to solve this problem?

Regards,
Carla
cpribeiroAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

kennethxuCommented:
You need to learn j2ee web security:
http://www.onjava.com/pub/a/onjava/2001/08/06/webform.html
0
Binary1Commented:
If that is the line that is actually causing the problem then one of the parameters is not being set.
(MM_conn_TIME_STRING,MM_conn_TIME_USERNAME,MM_conn_TIME_PASSWORD)

You didn't provide all the code so I can only guess as to what is occurring. The request.getSessions(true) call will return the session pointer. If it didn't already exist it will create one and return that. In either of these cases the variables you are trying to retrieve may not have been set. The parameters may be null instead of "" like you are testing for. Remember null is not the same as "".

I would recommend that you verify at the top what your session parameters are and what the actual values are. You are likely running into a situation where they are not being set, or at least not set to what you think they may be.

A couple of recommendations:

Keep the failure message the same, regardless of the reason for not allowing them to access it. By providing a different failure message for each "situation" you are allowing users a chance to begin to figure out how your application works, and more of a problem, how to maybe circumvent it.

Instead of using a redirect use a <jsp:forward...>. This also helps prevent the user from gleaming information about your application. It also allows you to more easily change and modify it without necessarily impacting large parts of the system. Some systems can also be configured to ignore redirects. This may cause problems with some of your users.

Perform your database access and retrieval from one or more Java Beans. This helps to remove the database logic from your JSP pages, which will help improve maintainability and component reuse.

If you're using session values don't recalculate everything every time. During the initial login you should be able to determine whether they have access to this application or not. You should consider whether it would be better to set a session variable to denote whether they have access or not instead of redetermining it everytime.

Your use of <%@include...> may cause problems if you are not careful. The include directive includes the specified file when the including JSP file is initially compiled. Any changes to the HelperSecurity.jsp file will not be included in your Report.jsp file unless you also force a recompile on it. If you are going to be making changes to the HelperSecurity.jsp file you may want to consider using the include action <jsp:include...>. The drawback to this is that it is re-translated EVERY time that the page is loaded.

Redirects and forwards can cause problems if the WebServer has already sent data to the client. You show the HelperSecurity.jsp file being included after the <body> tag of the Report.jsp file. If you are going to send a redirect or forward then all of that processing should be done before the HTML <html> tag. Most systems default to an 8K buffer that may save you but it will likely cause problems sooner or later depending on how your HTML data is constructed.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
girionisCommented:
No comment has been added lately, so it's time to clean up this TA.
I will leave a recommendation in the Cleanup topic area that this question is:

- Points to Binary1

Please leave any comments here within the next seven days.

PLEASE DO NOT ACCEPT THIS COMMENT AS AN ANSWER!

girionis
EE Cleanup Volunteer
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
JSP

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.