Reputation: 1164
How to restrict direct access to secure pages?
How in Java Web application to restrict direct access to secure pages for not admins roles? For example I have in my application 350-500 URLs and I want to hide 20-30 of them and permit access to them only for admin role. What is best way to solve this problem? What is best practice for this case?
May be I need group necessary URLs by single beginning URI? Or somehow using web.xml properties? Or it is enough using saving role of logged user in session and using servlet filter? Problem in that case is I need sort out each secure URL. But there may be many in future...
I think all are facing this problem. Give me the standard and simple solutions of this situation please! Thanks in advance!
I will be grateful for any advices and tips!
Upvotes: 0
Views: 1355
Answers (3)
Reputation: 148965
For a very simple application it will certainly be overkill, but if allready using SpringFramework, you could have a look at Spring Security. It deals with authentication, with many possibilies, and can have very simple or very sophisticated authorization rules.
Apache Shiro is also a simpler (but less powerful) alternative.
Upvotes: 0
Reputation: 1549
You can take a look here..http://viralpatel.net/blogs/tutorial-java-servlet-filter-example-using-eclipse-apache-tomcat/
You need to group them somehow in a specific folder. Than You should create a filter like in the link.. The filter will get anything that in the pattern /admin/(Suppose your pages will be there)
Inside the filter you just need to add the condition..
If(!admin) {
/Redirect to anywhere you want
}
You can use something more sufisticated like spring security, This thing will have the logic inside and you just need to set you roles.. Which i think will be better solution, But will take more time if you are not familiar with Spring
Hope that helps
Upvotes: 0
Reputation: 46841
You can try below options
Simply put them in
WEB-INFwhere it can't be accessed directly from outside world.Read more What is WEB-INF used for in a Java web application?
Apply a Filter for the access of the particular path
Yes you can group necessary URLs by single beginning URI that can be filtered by a filter as suggested above.
It's worth reading The Java EE 6 Tutorial - Security that explores security concepts and examples
Upvotes: 1
Related Questions
- Use HTTPS only for certain pages in servlet based webapp
- Restricting Access to Java Servlet
- how to disable direct access to pages from url for jsp pages
- How to disable direct access to jsp pages?
- How to protect my jsp page from direct access
- Spring security - allow navigation but protecting some pages
- how can i stop direct access to web pages without authentication in java (Custom Tag)
- Secured Login, do not allow user to navigate using URL
- Denying direct access to jsp pages
- How to restrict access to a Servlet via browser