Clever Geek Handbook

Enabling User Authentication in Java Web App

My web application has a secure area where users log in via JSP. The JSP sends the username and password to the servlet, which then checks if the user credentials are valid. If they are valid, then the user is directed to a protected resource. How can I ensure that users can't just navigate to a protected resource without checking first?

+1


source to share


4 answers


A common approach is to set the token in the ie user session,

session.setAttribute("loggedIn", "true");

or even



session.setAttribute("loggedInUser", "someUserName");

and make sure on any page that needs to be protected. A good strategy is to perform validation using a servlet filter that you attach to any page that needs to be protected. If they fail validation, the filter might redirect to the login page. See also here: http://java.sun.com/products/servlet/Filters.html

This is a good article on using filters for authentication also: http://www.developer.com/java/ent/article.php/3467801

+6


source


What's the fight using a security constraint in your web.xml:



<security-constraint>
      <web-resource-collection>
         <web-resource-name>Secure</web-resource-name>
         <url-pattern>/secure/*</url-pattern>
      </web-resource-collection>
+4


source


Make sure users always access your application through a single servlet, where the servlet sends a request to the JSP and returns the resulting response to the browser. This way, you will always be in control of what happens, because there is one entry point.

Another approach is to have a session variable (server side or even in cookie) that is validated by every JSP that requires authentication.

0


source


Security is really tricky. Much more than you usually think. Using the concept ( Acegi comes to mind), or the standard "" section in web.xml as LenW pointed out is necessary! At the very least, use a filter to handle the authorization portion of your security.

I don't like the solution to use a single entry point (as suggested by Rolf ). It seems to me that this is an artificial limitation imposed on your architecture. And there are many good reasons to have multiple servlets in a webapp.

Whatever you do, do not use a technique in which you rely on manual code on every page (eg: every JSP starts with "if user_authentified ..."). You will forget to put it somewhere ...

0


source






More articles:


All Articles