I have a web application in which when users login they reach the mainjsp.jsp page.
In this page there are few text-box for dates and based on dates and selection from another drop-down, data is submitted. This data is retrieved by a servlet and brought back to the mainjsp page.
My concern is about security. Now when I copy paste the mainjsp.jsp page's URL and paste it in any browser this page appears as it is. I don't want this to happen. I want the users to login first and hence I want my web application secure.
I don't have any idea how to do this. Could you please tell me how can I achieve this?
Also please tell me how do I achieve this for any of the pages in the web-application. Users should not be able to access any page if they haven't logged in.
You should have Form based authentication. Here is the snippet which should be added to your web.xml
<security-constraint>
<web-resource-collection>
<web-resource-name>pagesWitUnrestrictedAccess</web-resource-name>
<description>No Description</description>
<url-pattern>*.jsp</url-pattern>
</web-resource-collection>
<user-data-constraint>
<description>No Description</description>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/login.jsp</form-login-page>
<form-error-page>/loginerror.jsp</form-error-page>
</form-login-config>
</login-config>
Some References:
- Securing Web Applications
- Securing Java EE 5 Web Applications
- Declaring Security Requirements in a Deployment Descriptor
You may check Shiro to use out-of-box security framework and prevent advanced security tricky in web environment.
Spring Security 3 is powerful and easy to configure
http://static.springsource.org/spring-security/site/docs/3.0.x/reference/ns-config.html#ns-minimal
Use sessions.
Set a session variable on a login and check that on every page you have to make secure.
When user enters credentials and submit it to a login servlet, add the user name or user id in session. Check the session attribute in application's header (so on every page) that is user name or user id exist in session? If yes then redirect it to requested page otherwise redirect user to login.jsp. for example:
String var= null;
try {
var= (String) session.getAttribute("user_name_session");
if (var== null) {
response.sendRedirect("/Login.jsp");
return;
}
}
catch (Exception e) {
System.out.println(e);
}
You can modify the snippet as per your requirements, this is the simplest way for preventing user to go on any page via copying the link into another browser.
this really best way to convert HTTP request into HTTPS request
http://middlewaremagic.com/weblogic/?p=2019
{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://img.manongdao.com/sparkler-677774__340.jpg', '推荐 贼婆χ 的文章《How to secure my java web application?》','https://www.manongdao.com/article-122352.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}