In case you're lazy, i'm posting my filter class.... it isn't great.... but does the work.... (Everything in spanish :-D)
///////////// Code Begins Here ///////////////// /* * Creado el 20-may-2004 * * (c) 2004, Computadores Flor Hard Soft 2058 C.A. * ---- Caracas, Venezuela ---- */ package com.florhard.motrum.filtros;
import java.io.*;
import javax.servlet.*; import javax.servlet.http.*;
/**
* @author John Villar
* Filtro para no permitir que el usuario realice acciones en el sistema sin haber hecho login
*/
public class FiltroLogin implements Filter {
public void init(FilterConfig arg0) throws ServletException { // nada }
public void doFilter( ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
HttpServletRequest httpr = ((HttpServletRequest) request); String sURI = httpr.getServletPath();
com.florhard.motrum.beans.Sesion sesion =
(com.florhard.motrum.beans.Sesion) httpr.getSession().getAttribute(
"objeto_sesion");
boolean condicionIndex = sURI.indexOf("/index.jsp")==0;
boolean condicionVerifica = sURI.indexOf("/verificarClave.jsp")==0;
boolean condicionRoot = sURI.equals("/");
boolean condicionSesion = (sesion != null) && (sesion.isLogeado());
if (condicionIndex || condicionVerifica || condicionRoot || condicionSesion) {
chain.doFilter(request, response);
} else {
((HttpServletResponse) response).sendRedirect(
httpr.getContextPath()+"/errorInicioSesion.html");
return;
}
}
public void destroy() { // nada }
} ///////////// Code Ends Here ///////////////////
If anyone does find a vulnerability here, i would be glad to receive your observations on john.villar (at) florhard.com
Patrick Herber escribió:
Hi,
I need to implement a custom authorization for a web application, where the access to the different resources is defined inside a database table with some sort of rules, also using regular expressions.
I would like to know if the only method to do this is programmatically, implementing - for example - a "SecurityFilter", which catch every requests or extending the service() method the default Servlet of the application with the necessary code or if there is another "more standard" way to do it (perhaps using a Tomcat Valve or something similar).
Thanks a lot for your precious help. Best regards Patrick
Patrick Herber
Zürich (Switzerland)
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]