blocking unauthorized users

Thu, 13 Feb 2003 16:50:49 -0800 

I have over-ridden the method RequestProcessor.processPreprocess() inorder to block 
users trying to access the website resources, I am developing, without logging in.  

This is how I have done it:

protected boolean processPreprocess(HttpServletRequest request,
                                      HttpServletResponse response){

     System.out.println("Preprocess");

    boolean continueProcessing = true ;
    HttpSession session  = request.getSession(false) ;

    String loginParamValue = (String)request.getParameter("submit") ;
    if ( "Login".equals(loginParamValue) == true ) {
      System.out.println("Logging in");
      continueProcessing = true ;
    }
    else if ( session == null ) {
         System.out.println("session null");
         continueProcessing = false ;
    }
    else if ( session.getAttribute(Globals.USER_INFO_BEAN) == null ) {
          System.out.println("User bean not available") ;
          continueProcessing = false ;
    }

    if ( continueProcessing == false ) {
         ForwardConfig forward = appConfig.findForwardConfig("unauthorized") ;
         try {
            response.sendRedirect(forward.getPath());
          }
          catch (Exception ex) {
            System.out.println("Ex: " + ex.getMessage()) ;
          }
     }

    return continueProcessing ;
   }

  I had to write the first "if" statement so that the user trying to login could 
atleast pass through.  In the absence of it onone will ever be able to pass through.  
Since either the session object will be null of the user info bean will not be present 
in the sesion object.  User info bean gets created and set after a user is 
successfully authenticated by the system.  

Now problem with this approach is that a smart user can still get to a secure page by 
passing the submit parameter along with the URL as follows: 

http://localhost:8080/sci-dam/manageUsers.do?submit=Login

Obviouslt the technique I am using is not secure at all. 

I would like to get your opinion on what some of the methods are that I can use with 
the combination of Struts, Tomcat and Apache to secure a website on the Internet.   

This is my first time implemnting security on a website.  

I will really appreciate any help I can get. 

Jamal

  

 

 



---------------------------------
Do you Yahoo!?
Yahoo! Shopping - Send Flowers for Valentine's Day

Reply via email to