Hi,
Thanks for the help.
Your suggestion is one way of implementing the security. The reason I
suggest a controller as the first page that all requests must go through is
that I was hoping that it would enable me to factor out the authentification
check that you have on every page i.e. instead of having the
<jsp:useBean id="Authentication" scope="session"
class="com.mycompany.authentication"></jsp:useBean>
<%if (Authentication.isAuthenticated())
{%>
.... rest of JSP goes here
<%}
else
{
response.sendRedirect("./login.jsp");
}
%>
on every page, I could have a controller that looked like:
if (requesting login)
{
// forward to handleLogin.jsp
}
else
{
if (not logged on)
{
//forward to submitLoginInfo.jsp
}
else
{
//forward to appropriate servicing JSP
//(which I can determine from the URL or by having an
"action" parameter in the request)
}
}
If I want to implement this I need to be sure that it is not possible to get
access to the servicing JSPs "directly" since they wouldn't have any
security embedded in them.
What do you reckon?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Tim Hughes
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-----Original Message-----
From: pete [mailto:[EMAIL PROTECTED]]
Sent: 3. juli 2001 01:00
To: [EMAIL PROTECTED]
Subject: Re: Programmatic security with servlet mappings in tomcat
Tim,
there are several ways to implement this kind of security check. If you
want a fullblown MVC model, you might consider looking at Struts or one
of the other Apache-driven frameworks (Struts is the only one i have
personal experience with).
with the example you give, i don't understand the need for a
'controller' jsp in this context.
The way i handle security in one of my apps is that i have a method in a
session-bean (public void isAuthenticated()) that checks the user has a
valid login, so all my jsps (except login.jsp) are wrapped in a
statement like
<jsp:useBean id="Authentication" scope="session"
class="com.mycompany.authentication"></jsp:useBean>
<%if (Authentication.isAuthenticated())
{%>
.... rest of JSP goes here
<%}
else
{
response.sendRedirect("./login.jsp");
}
%>
If a valid session key is already assigned, the method returns true. If
username and password are supplied in request scope, isAuthenticated
does a lookup to our authentication database, and if successful, sets a
valid session key, and returns true.
If neither of these are true, isAuthenticated sets a 'you are not
authenticated' message to be displayed by login.jsp, returns false, and
the user is redirected back to login.jsp
In our struts projects, we have a custom tag library that checks
authentication details, so its even simpler than the above.
This example lacks exhaustive detail, but it is pretty easy to implement
a security model like this. There are a number of foibles you can make,
however. I'd tell you what they are, but that would spoil your fun now,
wouldn't it ;)
Hope that helps
-Pete
> Hi,
>
> (Tomcat 3.2.1, windows 2000, JdK1.3.1)
>
> I want to use a Request Controller architecture for a webapp (i.e. one JSP
> that receives all requests and then dispatches the requests to other JSPs
> for servicing of the request). Of course I want to ensure that these
> "servicing" JSPs are not accessible without passing through the controller
> jsp. Is a secure solution to this problem to use a servlet mapping of the
> following form in web.xml:
>
> <web-app>
>
> <servlet>
> <servlet-name>controller</servlet-name>
> <jsp-file>controller.jsp</jsp-file>
> </servlet>
>
>
> <servlet-mapping>
> <servlet-name>controller</servlet-name>
> <url-pattern>/*</url-pattern>
> </servlet-mapping>
>
> </web-app>
>
>
> And to include in Controller.jsp a session bean for each user to check
> whether they have logged on to the site before forwarding their request to
> the "servicing" JSP.
>
> I have tried this out "empirically" myself and it seems to work but I
would
> quite like a "theoretical" confirmation that this is secure and that this
> solution makes it impossible for a malicious user to get access to the
> "servicing" JSPs (without passing through Controller.jsp which will force
a
> logon).
>
> Thanks.
>
> Tim.
>
>
> This message contains information that may be privileged or confidential
and is the property of the Cap Gemini Ernst & Young Group. It is intended
only for the person to whom it is addressed. If you are not the intended
recipient, you are not authorized to read, print, retain, copy, disseminate,
distribute, or use this message or any part thereof. If you receive this
message in error, please notify the sender immediately and delete all copies
of this message.
This message contains information that may be privileged or confidential and is the
property of the Cap Gemini Ernst & Young Group. It is intended only for the person to
whom it is addressed. If you are not the intended recipient, you are not authorized to
read, print, retain, copy, disseminate, distribute, or use this message or any part
thereof. If you receive this message in error, please notify the sender immediately
and delete all copies of this message.
