Hi all,
an on topic question for you all to wonder at :)
I haven't yet had time to go into this and am interested in the experiences
some of you may
have had with the same things.
I am looking to set up a servlet chain that vets requests for JSP files.
Essentially
it will implement a loose security system that will redirect users who have
not logged in
back to a portal page. It is only designed to prevent casual access of JSP's
behind the portal
not be a grand system that tries to prevent hackers and so on.
The way things are at the moment :
I have a web site which allows access to a closed user group. All of the
files that produce content,
active or otherwise, are JSP's.
User verification is done via a user database.
All relevant user details (such as user id, name information) are stored in
the session object.
I can check the session object for that information + request headers and so
on to see if someone
is accessing a page behind the login page.
Requests from the JSP's are a mixture of POST and GET requests..
To implement this security system I have the following problems to address :
1) Handling of arbitrary request types and their parameters, if any, inside
the filter servlet and
passing the request on to the jsp servlet when it is a valid access.
2) The effects of Proxies/Firewalls on the passing of session id's via
cookies
3) The usefulness of checking things like the Referer request header for
legal (or even just non null)
values
I have several books on Servlets, including Jason Hunters but they all fail
to give a full treatment
on the subject of servlet chaining.
Servlet chaining is a prefered alternative to having to provide the security
code in each and every JSP
file that already exists and the addition of more pages would be
automatically shielded.
Assume I am knowledgeable about encoding URL's and redirects.
The system this is running on is Win NT, IIS4, JRun Pro 2.3.2 but a portable
solution would be the
best and authentification by the web server is not a practical alternative
at all.
Thanks in advance
Andy Bailey
PS if you have better ideas about how to do this then please post them
___________________________________________________________________________
To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
of the message "signoff SERVLET-INTEREST".
Archives: http://archives.java.sun.com/archives/servlet-interest.html
Resources: http://java.sun.com/products/servlet/external-resources.html
LISTSERV Help: http://www.lsoft.com/manuals/user/user.html
