CODEWITHSUNDEEP
javaspringspring-mvcspring-security
Harshit
Harshit

Reputation: 5157

Spring Web MVC Admin area security

I am trying to implement security to the admin area where only admin of the site be able to access the area, not the normal users.

For this purpose. I created session which contains class object. Here is the code

User.java

public class Users
{
    private int userID;
    private String username;
    ..
    ..
    private String userType;

    // getters and setters
}

In the variable userType, it will be present admin or user. Now the object of User class will be stored in the session variable.

Whenever I visit to 

http://localhost:8080/myproject/admin

then I check 

if(((Users)session.getAttribute("session_user")).getUsetType().equals("admin"))
{
     // Visit admin home page
}

Is this enough for preventing normal/naughty user from visiting admin area, if not, what else could I do?

Upvotes: 0

Views: 122

Answers (2)

jbhardwaj
jbhardwaj

Reputation: 414

You tag that with spring security but it does not looks like you are not using it at all. I would suggest not to build you own security mechanism but use the available frameworks and you may want to add Role based URL access for roles available in your application.

Refer to following link that covers basics and example http://en.tekstenuitleg.net/blog/spring-security-with-roles-and-rights

Once you familiarize youself with basics, please look deeper into Spring Security before you implement that code for production.

Upvotes: 1

saurabh kumar
saurabh kumar

Reputation: 164

This would not be a great solution i would recommend you have a look on Spring security documentaion .There you have several ways to restrict urls like you can use 

<http use-expressions="true">
    <intercept-url pattern="/admin*"
        access="hasRole('admin') />
    ...
  </http>

to restrict your http://localhost:8080/myproject/admin url

Upvotes: 3

Related Questions