• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 331
  • Last Modified:

Writing a fairly secure Login

Hi All,

I have been trawling the net looking for a solution to this.
Basically what I need is a means of securing various areas of a site from unauthorised users.
I am not talking about using SSL etc but something fairly rudamentary.

I have done something similar using ASP.

The idea there was the user chould choose to log in and would have access to various areas in this state in the logged out state some of these areas would simply not be accessible.

Login was through a login page
Credentials validated against password values stored in a SQL database as a MD5 hash
If validated then the credentials for this user are stored as an AuthCookie using Forms Authentication.

Does anybody have any examples of how to do something similar using JSP and Servlets possibly even using a session JavaBean?
0
VincentLawlor
Asked:
VincentLawlor
1 Solution
 
jpolin1Commented:
After "login", couldn't you just stick some flag into the session so that you know they have logged in, and then in each jsp check for the flag and determine what to display?

You have to realize though that you are pulling security down into the application which isn't a good idea.
0
 
seopherCommented:
^^ that is how I would do it, but it possibly isnt the most secure means of doing so.  however, i'm not sure that you could do it another way.  short of emulating a session using a database entity, meaning that security would be as safe as your anti-sql-injection?  But a slow and awfully ugly way of doing things.
0
 
VincentLawlorAuthor Commented:
It doesn't have to be very secure as it's going to be on an intranet and not exposed to the wider internet audience.
It will also eventally sit behind a Kerberos security layer.

This is really only to allow users with certain roles to access various parts of the site. I am not concerned with hacking.
0
 
jmaddaCommented:
Like jploin1 said, you can do this very easily by stick a variable in the session.

So when you verify the login credentials, add something this.

String canAccess = DENIED;

if(login is correct and qualifies) {
     canAccess = "APPROVED";
     session.setAttribute("canAccess", canAccess)
}

Then create a small file which can be included in the top each of the pages which requires special access.
In this file put something like this.

String isApproved = session.getAttribute("canAccess");
if(isApproved == null || !isApproved.equals("APPROVED")) {
     //this person is not approved to be here.....
     response.sendRedirect("/somewhereelse.jsp");
     return;
}

This will bounce anyone who doesn't belong off the page.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now