Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium


Testing Security

Posted on 2003-03-28
Medium Priority
Last Modified: 2010-04-01
Dear Experts,

I have created a JSP which searchs data in the database and shows these data....

This JSP is called from another JSP by sendRedirect command.

But nothing is blocking that this JSP can be called from browser directly....

But I would like to implement some function which must be verify that only authorized users could access this report.

Then I did.....

I've created a helper JSP with the following contents: (HelperSecurity.jsp)
<% HttpSession MM_session = request.getSession(true);

   String MM_conn_TIME_USERNAME = (MM_session.getValue("ssUsername") != null)?MM_session.getValue("ssUsername").toString():"";
   String MM_conn_TIME_PASSWORD = (MM_session.getValue("ssPassword") != null)?MM_session.getValue("ssPassword").toString():"";
     String af = (MM_session.getValue("ssAccountFlag") != null)?MM_session.getValue("ssAccountFlag").toString():"";
     if ((MM_conn_TIME_USERNAME == "") || (MM_conn_TIME_PASSWORD == "")) {
          String loginMessage = "You are not authorized to access this page!&en=003";
          String szLocation = "../errorPage.jsp?em=" + loginMessage;
     if (!af.equals("1"))     {
          String loginMessage = "Your account has expired! Please contact us to reactivate your account.&en=004";
          String szLocation = "../errorPage.jsp?em=" + loginMessage;
        if(!userCanAccessAppl()) /* This routine check in database if the user has permission of execute this JSP */
                String loginMessage = "You can't permission to execute this application!&en=005";
          String szLocation = "../errorPage.jsp?em=" + loginMessage;

I've created another JSP file which refers to the helper JSP: (Report.jsp)
<%@include file="HelperSecurity.jsp"%>

When I've logged in in system, after of valided the user and password I've typed in URL http://<machine_name>:8888/reportWEB/Report.jsp. The system should display the message I can not permission to execute this application, but I'm getting the java.lang.NullPointerException ...

The line which is occurring the exception contains:
Connection ConnRecordsetSecurity = DriverManager.getConnection(MM_conn_TIME_STRING,MM_conn_TIME_USERNAME,MM_conn_TIME_PASSWORD);

How I could to solve this problem?

Question by:cpribeiro
LVL 14

Expert Comment

ID: 8228507
You need to learn j2ee web security:

Accepted Solution

Binary1 earned 80 total points
ID: 8240966
If that is the line that is actually causing the problem then one of the parameters is not being set.

You didn't provide all the code so I can only guess as to what is occurring. The request.getSessions(true) call will return the session pointer. If it didn't already exist it will create one and return that. In either of these cases the variables you are trying to retrieve may not have been set. The parameters may be null instead of "" like you are testing for. Remember null is not the same as "".

I would recommend that you verify at the top what your session parameters are and what the actual values are. You are likely running into a situation where they are not being set, or at least not set to what you think they may be.

A couple of recommendations:

Keep the failure message the same, regardless of the reason for not allowing them to access it. By providing a different failure message for each "situation" you are allowing users a chance to begin to figure out how your application works, and more of a problem, how to maybe circumvent it.

Instead of using a redirect use a <jsp:forward...>. This also helps prevent the user from gleaming information about your application. It also allows you to more easily change and modify it without necessarily impacting large parts of the system. Some systems can also be configured to ignore redirects. This may cause problems with some of your users.

Perform your database access and retrieval from one or more Java Beans. This helps to remove the database logic from your JSP pages, which will help improve maintainability and component reuse.

If you're using session values don't recalculate everything every time. During the initial login you should be able to determine whether they have access to this application or not. You should consider whether it would be better to set a session variable to denote whether they have access or not instead of redetermining it everytime.

Your use of <%@include...> may cause problems if you are not careful. The include directive includes the specified file when the including JSP file is initially compiled. Any changes to the HelperSecurity.jsp file will not be included in your Report.jsp file unless you also force a recompile on it. If you are going to be making changes to the HelperSecurity.jsp file you may want to consider using the include action <jsp:include...>. The drawback to this is that it is re-translated EVERY time that the page is loaded.

Redirects and forwards can cause problems if the WebServer has already sent data to the client. You show the HelperSecurity.jsp file being included after the <body> tag of the Report.jsp file. If you are going to send a redirect or forward then all of that processing should be done before the HTML <html> tag. Most systems default to an 8K buffer that may save you but it will likely cause problems sooner or later depending on how your HTML data is constructed.
LVL 35

Expert Comment

ID: 10060922
No comment has been added lately, so it's time to clean up this TA.
I will leave a recommendation in the Cleanup topic area that this question is:

- Points to Binary1

Please leave any comments here within the next seven days.


EE Cleanup Volunteer

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Ready to kick start your career in 2018? Add app developer skills to your resume. January’s Course of the Month features Android App Development training with hands-on learning.  Read on to learn why these skills are important.
How do you create a user-centered user experience on your website? And what are some things you should consider in the process?
In a question here at Experts Exchange (https://www.experts-exchange.com/questions/29062564/Adobe-acrobat-reader-DC.html), a member asked how to create a signature in Adobe Acrobat Reader DC (the free Reader product, not the paid, full Acrobat produ…
The Relationships Diagram is a good way to get an overall view of what a database is keeping track of. It is also where relationships are defined. A relationship specifies how two tables connect to each other. As you build tables in Microsoft Ac…
Suggested Courses
Course of the Month13 days, 21 hours left to enroll

581 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question