Writing a fairly secure Login

Posted on 2006-05-16
Last Modified: 2010-04-01
Hi All,

I have been trawling the net looking for a solution to this.
Basically what I need is a means of securing various areas of a site from unauthorised users.
I am not talking about using SSL etc but something fairly rudamentary.

I have done something similar using ASP.

The idea there was the user chould choose to log in and would have access to various areas in this state in the logged out state some of these areas would simply not be accessible.

Login was through a login page
Credentials validated against password values stored in a SQL database as a MD5 hash
If validated then the credentials for this user are stored as an AuthCookie using Forms Authentication.

Does anybody have any examples of how to do something similar using JSP and Servlets possibly even using a session JavaBean?
Question by:VincentLawlor
    LVL 5

    Expert Comment

    After "login", couldn't you just stick some flag into the session so that you know they have logged in, and then in each jsp check for the flag and determine what to display?

    You have to realize though that you are pulling security down into the application which isn't a good idea.
    LVL 3

    Expert Comment

    ^^ that is how I would do it, but it possibly isnt the most secure means of doing so.  however, i'm not sure that you could do it another way.  short of emulating a session using a database entity, meaning that security would be as safe as your anti-sql-injection?  But a slow and awfully ugly way of doing things.
    LVL 4

    Author Comment

    It doesn't have to be very secure as it's going to be on an intranet and not exposed to the wider internet audience.
    It will also eventally sit behind a Kerberos security layer.

    This is really only to allow users with certain roles to access various parts of the site. I am not concerned with hacking.
    LVL 2

    Accepted Solution

    Like jploin1 said, you can do this very easily by stick a variable in the session.

    So when you verify the login credentials, add something this.

    String canAccess = DENIED;

    if(login is correct and qualifies) {
         canAccess = "APPROVED";
         session.setAttribute("canAccess", canAccess)

    Then create a small file which can be included in the top each of the pages which requires special access.
    In this file put something like this.

    String isApproved = session.getAttribute("canAccess");
    if(isApproved == null || !isApproved.equals("APPROVED")) {
         //this person is not approved to be here.....

    This will bounce anyone who doesn't belong off the page.

    Featured Post

    How to run any project with ease

    Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
    - Combine task lists, docs, spreadsheets, and chat in one
    - View and edit from mobile/offline
    - Cut down on emails

    Join & Write a Comment

    Suggested Solutions

    David Varnum recently wrote up his impressions of PRTG, based on a presentation by my colleague Christian at Tech Field Day at VMworld in Barcelona. Thanks David, for your detailed and honest evaluation!
    Nothing in an HTTP request can be trusted, including HTTP headers and form data.  A form token is a tool that can be used to guard against request forgeries (CSRF).  This article shows an improved approach to form tokens, making it more difficult to…
    To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…
    Internet Business Fax to Email Made Easy - With eFax Corporate (, you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…

    745 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    14 Experts available now in Live!

    Get 1:1 Help Now