Access control and JSPs
We are trying to do access control with JSPs (Java Server Pages), but we don't want to block access to everything. How do we do it so that some of the important info is hidden from some but not important things are available? Or is this even a good idea? We are new at this. Thank you.

    Requires Free Membership to View

    Login

    When you register, you'll receive targeted emails designed to keep you informed of the most relevant information on Agile development, application security, testing & QA, software requirements, and more.

    Hannah Smalltree, Editorial Director

    By submitting your registration information to SearchSoftwareQuality.com you agree to receive email communications from TechTarget and TechTarget partners. We encourage you to read our Privacy Policy which contains important disclosures about how we collect and use your registration and other information. If you reside outside of the United States, by submitting this registration information you consent to having your personal data transferred to and processed in the United States. Your use of SearchSoftwareQuality.com is governed by our Terms of Use. You may contact us at webmaster@TechTarget.com.

Absolutely, it is very important to enforce controlled access to the deployed Web content and its associated resources based on user privileges and resource policies specified within your Java EE Web environment. In general, JSPs/Servlets (or Web components) adopt Java EE (J2EE) Web container role-based authorization mechanisms to restrict access control for Web components and their associated resources. Controlling access to resources from a JSP Web component can be done in several ways using both declarative and programmatic authorizations.

Declarative authorization uses the Web application deployment descriptor <security-constraint> element and its <auth-constraint> sub-element for determining who is authorized and to determine access protection of resources such as URL patterns and HTTP methods. These security constraints work only if the original Web application request URI initiated by the caller via a RequestDispatcher (which include <jsp:include> and <jsp:forward>). This means that the inside the Web application, the application has control over all required resources. It would not forward a user's request to access a resource unless the requesting user had privileges to access them. In addition, the Web container checks to see if the authenticated user belongs to one of the roles defined in the <auth-contraint> tag of the deployment descriptor. If the user does not belong to the specified roles for the resource, the request will be terminated with an error message.

Programmatic authorization uses selected methods in the HTTPServletRequest interface such as getRemoteUser(), IsUserInRole(role) and getUserPrincipal() methods for controlling access to Web resources. Programmatic access control is good for setting dynamic access control rules within a Web application, multi-role access and content-level authorization. It also can be mapped to the declarative mechanisms if the calling user is defined in the <role-name> element of the deployment descriptor. This helps to check whether the user access to the Web application is privileged to launch a specific role-based action or viewing content etc.

In addition to the above core authorization mechanisms, there are several design and implementation strategies for enforcing content-level authorization strategies using JAAS authorization, Filters and JSP Custom Tag libraries. I would also suggest taking a look at the Authorization Enforcer design pattern described in Core Security Patterns.

More information:

This was first published in February 2007