• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 267
  • Last Modified:

Security Model

Within a JSP website, what are the best/common ways of enforcing a security model across the application. i.e. Having a secure log in and from that log in securly maintaining the users session, so that outside user cannot interfere, and  that the user is restricted to the specfic operations they are allowed to do.
0
danBosh
Asked:
danBosh
1 Solution
 
searlasCommented:
Security is configured in the web.xml file of the web application.  Specifically, look for information about security-constraint, login-config and security-role.

A few things to read:

How can you prevent users from accessing a JSP directly that is designed to be used from an Action?
http://www.jguru.com/faq/view.jsp?EID=471953

Basic Authenitcation
http://edocs.bea.com/workshop/docs81/doc/en/workshop/guide/security/authentication/conBasicAuthentication.html

Security in the Web-Tier
http://java.sun.com/webservices/docs/1.3/tutorial/doc/Security2.html


0
 
danBoshAuthor Commented:
thaks but these seem to be reguarding system securit, i was more interested in application secuity
0
 
john-at-7fffCommented:
Actually that last URL (Security in the Web-Tier) is probably what you want. If you use Basic Authentication, there is usually a means -- depending on your server -- to put a list of users and roles in your web app (as XML files in your War). Then programmatically, you can write code like if (request.isUserInRole(String)) { do something . . . .}. Using basic auth, you're getting the most help from the container. One nice thing about this strategy is that many servers offer means to connect this kind of authentication to, say, an LDAP server so that you can start with your own list of users and roles, and then someday tie it into your corporate user/password database.

If you want to implement role-based security yourself, the classic means is to create a session attribute that contains some information about the user; then at the top of every page, you check the value of that session variable. Similarly, you could log information at this point.

An increasingly common strategy for developers who want to do their own security is to write an authentication filter. This is a Java object that sits "in front of" all of the requests into your application -- so you can do something "interesting" before every page is displayed (such as log the activity) or terminate that user's request and send her to an error page. See, e.g., http://java.sun.com/blueprints/corej2eepatterns/Patterns/InterceptingFilter.html

Really, though, you might want to describe exactly what you're looking for.

0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now