• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 311
  • Last Modified:

Writing a fairly secure Login

Hi All,

I have been trawling the net looking for a solution to this.
Basically what I need is a means of securing various areas of a site from unauthorised users.
I am not talking about using SSL etc but something fairly rudamentary.

I have done something similar using ASP.

The idea there was the user chould choose to log in and would have access to various areas in this state in the logged out state some of these areas would simply not be accessible.

Login was through a login page
Credentials validated against password values stored in a SQL database as a MD5 hash
If validated then the credentials for this user are stored as an AuthCookie using Forms Authentication.

Does anybody have any examples of how to do something similar using JSP and Servlets possibly even using a session JavaBean?
0
VincentLawlor
Asked:
VincentLawlor
1 Solution
 
jpolin1Commented:
After "login", couldn't you just stick some flag into the session so that you know they have logged in, and then in each jsp check for the flag and determine what to display?

You have to realize though that you are pulling security down into the application which isn't a good idea.
0
 
seopherCommented:
^^ that is how I would do it, but it possibly isnt the most secure means of doing so.  however, i'm not sure that you could do it another way.  short of emulating a session using a database entity, meaning that security would be as safe as your anti-sql-injection?  But a slow and awfully ugly way of doing things.
0
 
VincentLawlorAuthor Commented:
It doesn't have to be very secure as it's going to be on an intranet and not exposed to the wider internet audience.
It will also eventally sit behind a Kerberos security layer.

This is really only to allow users with certain roles to access various parts of the site. I am not concerned with hacking.
0
 
jmaddaCommented:
Like jploin1 said, you can do this very easily by stick a variable in the session.

So when you verify the login credentials, add something this.

String canAccess = DENIED;

if(login is correct and qualifies) {
     canAccess = "APPROVED";
     session.setAttribute("canAccess", canAccess)
}

Then create a small file which can be included in the top each of the pages which requires special access.
In this file put something like this.

String isApproved = session.getAttribute("canAccess");
if(isApproved == null || !isApproved.equals("APPROVED")) {
     //this person is not approved to be here.....
     response.sendRedirect("/somewhereelse.jsp");
     return;
}

This will bounce anyone who doesn't belong off the page.
0

Featured Post

Hire Technology Freelancers with Gigs

Work with freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely, and get projects done right.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now