Solved

Security Model

Posted on 2004-04-14
3
264 Views
Last Modified: 2010-04-01
Within a JSP website, what are the best/common ways of enforcing a security model across the application. i.e. Having a secure log in and from that log in securly maintaining the users session, so that outside user cannot interfere, and  that the user is restricted to the specfic operations they are allowed to do.
0
Comment
Question by:danBosh
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 7

Expert Comment

by:searlas
ID: 10821850
Security is configured in the web.xml file of the web application.  Specifically, look for information about security-constraint, login-config and security-role.

A few things to read:

How can you prevent users from accessing a JSP directly that is designed to be used from an Action?
http://www.jguru.com/faq/view.jsp?EID=471953

Basic Authenitcation
http://edocs.bea.com/workshop/docs81/doc/en/workshop/guide/security/authentication/conBasicAuthentication.html

Security in the Web-Tier
http://java.sun.com/webservices/docs/1.3/tutorial/doc/Security2.html


0
 

Author Comment

by:danBosh
ID: 10822005
thaks but these seem to be reguarding system securit, i was more interested in application secuity
0
 
LVL 4

Accepted Solution

by:
john-at-7fff earned 50 total points
ID: 10827475
Actually that last URL (Security in the Web-Tier) is probably what you want. If you use Basic Authentication, there is usually a means -- depending on your server -- to put a list of users and roles in your web app (as XML files in your War). Then programmatically, you can write code like if (request.isUserInRole(String)) { do something . . . .}. Using basic auth, you're getting the most help from the container. One nice thing about this strategy is that many servers offer means to connect this kind of authentication to, say, an LDAP server so that you can start with your own list of users and roles, and then someday tie it into your corporate user/password database.

If you want to implement role-based security yourself, the classic means is to create a session attribute that contains some information about the user; then at the top of every page, you check the value of that session variable. Similarly, you could log information at this point.

An increasingly common strategy for developers who want to do their own security is to write an authentication filter. This is a Java object that sits "in front of" all of the requests into your application -- so you can do something "interesting" before every page is displayed (such as log the activity) or terminate that user's request and send her to an error page. See, e.g., http://java.sun.com/blueprints/corej2eepatterns/Patterns/InterceptingFilter.html

Really, though, you might want to describe exactly what you're looking for.

0

Featured Post

On Demand Webinar: Networking for the Cloud Era

Did you know SD-WANs can improve network connectivity? Check out this webinar to learn how an SD-WAN simplified, one-click tool can help you migrate and manage data in the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The conference as a whole was very interesting, although if one has to make a choice between this one and some others, you may want to check out the others.  This conference is aimed mainly at government agencies.  So it addresses the various compli…
Here's how to start interacting with our community through Post.
Monitoring a network: how to monitor network services and why? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the philosophy behind service monitoring and why a handshake validation is critical in network monitoring. Software utilized …
Add bar graphs to Access queries using Unicode block characters. Graphs appear on every record in the color you want. Give life to numbers. Hopes this gives you ideas on visualizing your data in new ways ~ Create a calculated field in a query: …

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question