Security Model

Within a JSP website, what are the best/common ways of enforcing a security model across the application. i.e. Having a secure log in and from that log in securly maintaining the users session, so that outside user cannot interfere, and  that the user is restricted to the specfic operations they are allowed to do.
danBoshAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

searlasCommented:
Security is configured in the web.xml file of the web application.  Specifically, look for information about security-constraint, login-config and security-role.

A few things to read:

How can you prevent users from accessing a JSP directly that is designed to be used from an Action?
http://www.jguru.com/faq/view.jsp?EID=471953

Basic Authenitcation
http://edocs.bea.com/workshop/docs81/doc/en/workshop/guide/security/authentication/conBasicAuthentication.html

Security in the Web-Tier
http://java.sun.com/webservices/docs/1.3/tutorial/doc/Security2.html


0
danBoshAuthor Commented:
thaks but these seem to be reguarding system securit, i was more interested in application secuity
0
john-at-7fffCommented:
Actually that last URL (Security in the Web-Tier) is probably what you want. If you use Basic Authentication, there is usually a means -- depending on your server -- to put a list of users and roles in your web app (as XML files in your War). Then programmatically, you can write code like if (request.isUserInRole(String)) { do something . . . .}. Using basic auth, you're getting the most help from the container. One nice thing about this strategy is that many servers offer means to connect this kind of authentication to, say, an LDAP server so that you can start with your own list of users and roles, and then someday tie it into your corporate user/password database.

If you want to implement role-based security yourself, the classic means is to create a session attribute that contains some information about the user; then at the top of every page, you check the value of that session variable. Similarly, you could log information at this point.

An increasingly common strategy for developers who want to do their own security is to write an authentication filter. This is a Java object that sits "in front of" all of the requests into your application -- so you can do something "interesting" before every page is displayed (such as log the activity) or terminate that user's request and send her to an error page. See, e.g., http://java.sun.com/blueprints/corej2eepatterns/Patterns/InterceptingFilter.html

Really, though, you might want to describe exactly what you're looking for.

0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
JSP

From novice to tech pro — start learning today.