tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From pete <p...@claudia.dyn.dhs.org>
Subject Re: Programmatic security with servlet mappings in tomcat
Date Mon, 02 Jul 2001 23:00:06 GMT
Tim,

there are several ways to implement this kind of security check. If you 
want a fullblown MVC model, you might consider looking at Struts or one 
of the other Apache-driven frameworks (Struts is the only one i have 
personal experience with).

with the example you give, i don't understand the need for a 
'controller' jsp in this context.

The way i handle security in one of my apps is that i have a method in a 
session-bean (public void isAuthenticated()) that checks the user has a 
valid login, so all my jsps (except login.jsp) are wrapped in a 
statement like

<jsp:useBean id="Authentication" scope="session" 
class="com.mycompany.authentication"></jsp:useBean>


<%if (Authentication.isAuthenticated())
{%>

.... rest of JSP goes here

<%}
else
{
response.sendRedirect("./login.jsp");
}
%>

If a valid session key is already assigned, the method returns true. If 
username and password are supplied in request scope, isAuthenticated 
does a lookup to our authentication database, and if successful, sets a 
valid session key, and returns true.

If neither of these are true, isAuthenticated sets a 'you are not 
authenticated' message to be displayed by login.jsp,  returns false, and 
the user is redirected back to login.jsp

In our struts projects, we have a custom tag library that checks 
authentication details, so its even simpler than the above.

This example lacks exhaustive detail, but it is pretty easy to implement 
a security model like this. There are a number of foibles you can make, 
however. I'd tell you what they are, but that would spoil your fun now, 
wouldn't it ;)

Hope that helps

-Pete




> Hi,
> 
> (Tomcat 3.2.1, windows 2000, JdK1.3.1)
> 
> I want to use a Request Controller architecture for a webapp (i.e. one JSP
> that receives all requests and then dispatches the requests to other JSPs
> for servicing of the request). Of course I want to ensure that these
> "servicing" JSPs are not accessible without passing through the controller
> jsp. Is a secure solution to this problem to use a servlet mapping of the
> following form in web.xml:
> 
> <web-app>
> 
> <servlet>
> <servlet-name>controller</servlet-name>
> <jsp-file>controller.jsp</jsp-file>
> </servlet>
> 
> 
> <servlet-mapping>
> <servlet-name>controller</servlet-name>
> <url-pattern>/*</url-pattern>
> </servlet-mapping>
> 
> </web-app>
> 
> 
> And to include in Controller.jsp a session bean for each user to check
> whether they have logged on to the site before forwarding their request to
> the "servicing" JSP.
> 
> I have tried this out "empirically" myself and it seems to work but I would
> quite like a "theoretical" confirmation that this is secure and that this
> solution makes it impossible for a malicious user to get access to the
> "servicing" JSPs (without passing through Controller.jsp which will force a
> logon).
> 
> Thanks.
> 
> Tim.
> 
> 
> This message contains information that may be privileged or confidential and is the property
of the Cap Gemini Ernst & Young Group. It is intended only for the person to whom it is
addressed. If you are not the intended recipient, you are not authorized to read, print, retain,
copy, disseminate, distribute, or use this message or any part thereof. If you receive this
message in error, please notify the sender immediately and delete all copies of this message.




Mime
View raw message