I don't whether this is a right place to ask this question. Since I am working on web app, I decided to post here.
I am wondering if there is any pattern ( security) that deals with whether a user has an access to certain page(s) ( certain sandbox sections that requires extra privilges or super roles ).
Almost every part of the web app now have one or more patterns/frameworks. For example validation, there are some validation framework avaliable from Commons, Struts and etc.
If there is something for security, please let me know. Otherwise I guess I might have to create something smiliar.
Well ... for J2EE applications, page-based security has been part of the Servlet standard since Servlet 2.2. You specify the security roles that are allowed to access particular URLs in the standard web.xml configuration file. This is not really a "pattern", since it is part of the specifications.
If you want patterns, the only one that I might note is that these days, people tend to implement custom security (non-standard) using Filters and the servlet session, but I admit that it pretty general.
Many ways to skin that cat, Filters are great and if you have access to Interceptors they work great too for security. The interceptor "intercepts" all calls to a Action/Command and checks if the user has permission to access the page. This is a good pattern when using the Front Controller Pattern solution like Struts or WebWork. For Page Controller implemenation placing your jsp's in your web-inf is good too.
Thanks for the replies guys.
I belive we all have implemented some custom mechanism to restrict access to the pages in the web apps. I have done that too. Since most of the web app requires some level security whether its just a page level or entire section.
I was wondering if there is configurable framework based on the command/action to access the page. You might specify actions/commands in a configuration file and probably possible roles with the command/action and depending on the user's roles, the user may or may not get an access.
The custom implementation idea sounds good and i have done that plenty of time. I am looking for standardized way to give access to parts of the application and which you would be resuable. If there is none, I think might have start writing one.
All the Java web security models I have seen fall into one of these three categories:
1) Based on the J2EE standard security defined in the web.xml file
2) Incorporated as part of a larger framework (e.g. Struts)
3) Totally customized (non-generic)
If you want to build a web-security framework that is (a) generic, (b) not based on the J2EE standard and (c) not part of a larger framework, this would be something totally new. If you did decide to build something like that, filters would probably be the best way to do it. I am not sure it would be any better than just using the J2EE standard security model, though.
Any samples on the implementation of the same..
Thansk in advance.