An idea to handle Security and Flow of a JSP App.

Discussions

Web tier: servlets, JSP, Web frameworks: An idea to handle Security and Flow of a JSP App.

  1. Hello all :)

      I'd like to run a idea by you all. Firstly, YES, I'm new to this, so if this is a "stupid" idea, keep in mind I'm still learning and would like to hear your words of wisdom.

      My idea is a way to control security and the flow of a JSP site. So, I thought that it would be a "good" idea to have the ONE central JSP file, say index.jsp and in this file have something like:

    <jsp:useBean id="mySession" scope="session" class="myApp.bean.beanSession" />

    <% if ( mySession.getLoggedIn() == false ) { %>
    <%@ include file="login.jsp" %>
    <% } else { %>

    <% if ( mySession.getFlow() == 1 ) { %>
    <%@ include file="mainmenu.jsp" %>
    <% } %>
    <% if ( mySession.getFlow() == 2 ) { %>
    <%@ include file="submenu1.jsp" %>
    <% } %>

    <% } %>


    So, the idea is that this ONE jsp page is ALWAYS called. The security is checked EVERYTIME, but this shouldn't slow the program down, and that leaves the flow, which is controled by a Flow number. Each page is given a number and can be accessed by the method setFlow in the mySession bean.

    So, what do you lot think? is this ok? I don't need something complicated and I thought this would be simple to implement?!?!

    Thanks in advance for all your words of wisdom,

    Eric.
  2. Eric,

    The best way to handle this is to create a new JSP class. You can call it 'ProtectedJSP'. Make this ProtectedJSP class implement all of the security checking that you want.

    You should also know that this 'ProtectedJSP' is not an actual JSP class. Rather, it is a class which extends the BaseJSP class of your container. See your container's documentation for details.

    Then, for all of the JSPs you want to be protected, have them EXTEND your ProtectedJSP. By doing this, all of your JSPs will automatically inherit the functionality of the ProtectedJSP. Same thing goes for Servlets.

    Creating custom BaseJSPs is a wonderful way to abstract out functionality common to many JSPs... without having to code it in each JSP itself.

    This is a much more sensible, object-oriented approach to JSP/Servlet protection.

    Regards,

    Rick
  3. Rick,

      Thanks for you wisdom. Just a quick question. I know how to extend my servlets and other normal classes, but I'm unsure as to what you mean by extending my JSP classes? When you say JSP class do you mean bean??? If not, I have no idea (at the moment) how to "extend" a JSP (JavaServer Pages). As far a I know (knew) a JSP is just an advance HTML file (basically), how do I extend that????

      Sorry, if this question is WAY stupid or something, but I gotta admit that I am terrable with terminology!

    Thanks in advance,

    Eric
  4. Eric,

    Here's a very tiny example of JSP extension. Its small... but it should demonstrate the point. I cannot vouch if it will compile perfectly... I wrote this on the fly, here.

    But this is what I do on my projects when I need to do this kind of thing.

    If you have any more questions, just let me know.

    Best of luck,

    Rick


    -- HelloWorld.jsp --

    <%@ page extends="mypackage.ProtectedJSP" %>
    <html>
    <head><title>Hello World</title></head>
    <body>
      <h2>Hello World!</h2>
    </body>
    </html>


    -- ProtectedJSP.java --

    package mypackage;

    import java.io.*;
    import javax.servlet.*;
    import javax.servlet.http.*;
    import javax.servlet.jsp.*;

    /**
     * This class should be extended by all JSPs wanting to be protected.
     *
     * @author Rick Grashel
     */

    public abstract class ProtectedJSP extends HttpServlet implements HttpJspPage
    {
        private final static LOGIN_JSP_URL = "./login.jsp";
        private final static NOT_AUTHORIZED_URL = "./not_authorized.jsp";
        private ServletConfig iConfig = null;

        public final void init(ServletConfig aConfig) throws ServletException
        {
            iConfig = aConfig;
            jspInit();
        }

        public final ServletConfig getServletConfig()
        {
            return iConfig;
        }

        public String getServletInfo()
        {
            return "This is a protected JSP Servlet";
        }

        public final void destroy()
        {
            jspDestroy();
        }

        public final void service(HttpRequest aRequest, HttpResponse aResponse) throws ServletException, IOException
        {
            HttpSession lSession = request.getSession(true);

            String lUserID = (String)lSession.getValue("userid");
            
            if (lUserID == null)
            {
                // User isn't logged in. Redirect them to the login page
                aResponse.sendRedirect(LOGIN_JSP_URL);
                return;
            }

            String lRequestedJSPName = aRequest.getRequestURI();

            // This method call checks the security. You'll have to write this (or something like it)
            boolean lHasAccess = checkSecurity(lUserID, lRequestedJSPName);
            
            if (!lHasAccess)
            {
                // If they don't have access, redirect them to the unauthorized page.
                lResponse.sendRedirect(NOT_AUTHORIZED_URL);
                return;
            }

            // If they get here, the coast is clear.
            _jspService(aRequest, aResponse);
        }


        // Gotta implement this, but we'll do it as abstract since
        // JSP containers implement this by default.
        public abstract void _jspService(HttpServletRequest aRequest, HttpServletResponse aResponse) throws ServletException, IOException;
        
        // Gotta implement these guys. They're useful sometimes... but not often.
        // Depends on the situation

        public void jspDestroy() {}
        public void jspInit() {}
    }
  5. Rick,

      Wow, thanks for all that example code. I now have a better idea of what is going on, thanks. I didn't know about that <%@ page extents="..." %> tag.

    Thanks again,

    Eric