Solved

Security Model

Posted on 2004-04-14
3
259 Views
Last Modified: 2010-04-01
Within a JSP website, what are the best/common ways of enforcing a security model across the application. i.e. Having a secure log in and from that log in securly maintaining the users session, so that outside user cannot interfere, and  that the user is restricted to the specfic operations they are allowed to do.
0
Comment
Question by:danBosh
3 Comments
 
LVL 7

Expert Comment

by:searlas
ID: 10821850
Security is configured in the web.xml file of the web application.  Specifically, look for information about security-constraint, login-config and security-role.

A few things to read:

How can you prevent users from accessing a JSP directly that is designed to be used from an Action?
http://www.jguru.com/faq/view.jsp?EID=471953

Basic Authenitcation
http://edocs.bea.com/workshop/docs81/doc/en/workshop/guide/security/authentication/conBasicAuthentication.html

Security in the Web-Tier
http://java.sun.com/webservices/docs/1.3/tutorial/doc/Security2.html


0
 

Author Comment

by:danBosh
ID: 10822005
thaks but these seem to be reguarding system securit, i was more interested in application secuity
0
 
LVL 4

Accepted Solution

by:
john-at-7fff earned 50 total points
ID: 10827475
Actually that last URL (Security in the Web-Tier) is probably what you want. If you use Basic Authentication, there is usually a means -- depending on your server -- to put a list of users and roles in your web app (as XML files in your War). Then programmatically, you can write code like if (request.isUserInRole(String)) { do something . . . .}. Using basic auth, you're getting the most help from the container. One nice thing about this strategy is that many servers offer means to connect this kind of authentication to, say, an LDAP server so that you can start with your own list of users and roles, and then someday tie it into your corporate user/password database.

If you want to implement role-based security yourself, the classic means is to create a session attribute that contains some information about the user; then at the top of every page, you check the value of that session variable. Similarly, you could log information at this point.

An increasingly common strategy for developers who want to do their own security is to write an authentication filter. This is a Java object that sits "in front of" all of the requests into your application -- so you can do something "interesting" before every page is displayed (such as log the activity) or terminate that user's request and send her to an error page. See, e.g., http://java.sun.com/blueprints/corej2eepatterns/Patterns/InterceptingFilter.html

Really, though, you might want to describe exactly what you're looking for.

0

Featured Post

Back Up Your Microsoft Windows Server®

Back up all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
project group option in netbeans equivalent term in eclipse 1 50
How to set default webapp for host 6 46
if statement not resolving in my code 5 52
maven j2ee examles 2 56
If you thought ransomware was bad, think again! Doxware has the potential to be even more damaging.
February 24, 2017 — On February 23, Travis Ormandy, a vulnerability researcher at Google, reported on Twitter (https://twitter.com/taviso/status/834900838837411840) that massive stores of data have been leaked by CloudFlare, a company that provide…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

803 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question