Reputation: 724
How to secure links in your JSP web application?
I am hiding some links in my webapp depending on the user roles...Now for example I hide the link sample.jsp in my user with role equal to 1. Ofcourse this will hide but if this user knows the link he can eventually go to that link...How to configure this?
Upvotes: 0
Views: 766
Answers (3)
Reputation: 11742
First of all, choose a security framework that appeals to you, like Apache Shiro or Spring Security, as proposed by Sudhakar. To get an understanding of different security frameworks you may like Matt Raible's overview of 2011 here: Spring Security and Apache Shiro, among others.
Next, you should be able follow Quentin's answer quite simply, if you chose the security framework.
The very basic scheme is dividing the pages into logical groups based on roles (which you shiuld have a few): for instance, pages with paths /admin/users/edit (and admin/...) would be aimed at people with role of administrator, /user/order/view (and user/...) would be visible to registered users, etc. The more advanced setting will be necessary in case you want to have sections of a page rendered for particular user roles, like both admins will have access to /user/edit, but the button delete will be rendered only if current user's role equals administrator. To secure the application more, the framework you choose should provide for a way of securing business logic methods basing on user roles. There might also be some special tags to ease view creation, like <shiro:hasRole>, if you choose Shiro.
But the basic solution to your situation is <h:link rendered="#{currentUser.roleOne}"/> with backing-bean method public boolean isRoleOne() { return role.equals("1"); }. Of course, it will only hide the link, but the user will still be able to access the page via its url. So, you will eventually end up either writing much of a boilerplate code of a Filter or using a solution proposed by a well-accepted security framework.
Upvotes: 0
Reputation: 4873
Quentin suggestion should do , and its probably enough if you are developing a demo app,
But if you serious on implementing an robust authentication and authorization , then you should seriously give a thought in learning any open source security framework.
This could save from lots of headaches especially if your custom building a security for your app.
Upvotes: 1
Reputation: 943569
When someone visits the URL the link points to, check if they have been authenticated (if not, show them a login page) and if the user they are authenticated as is authorised to access the page (if not, show them an error message explaining that and give them a "log in as a different user" form).
Upvotes: 2
Related Questions
- How to secure my java web application?
- Need help to understand and implement basic web app security
- How to protect my jsp page from direct access
- Advice on implementing security aspect of Java EE web application
- how to have more secure urls?
- Java Web Application Security Idea
- Hide or display links on JSP as per perticular user?
- security functions
- Security for the login page (using Servlet/JSP)
- Ensuring Users are Authenticated in Java Web App