Problem solve Get help with specific problems with your technologies, process and projects.

Access control and JSPs

Access control is an important security measure, but managing authorization can be difficult. Expert Ramesh Nagappan explains how to enforce access control with JSPs (Java Server Pages).

We are trying to do access control with JSPs (Java Server Pages), but we don't want to block access to everything. How do we do it so that some of the important info is hidden from some but not important things are available? Or is this even a good idea? We are new at this. Thank you.

Absolutely, it is very important to enforce controlled access to the deployed Web content and its associated resources based on user privileges and resource policies specified within your Java EE Web environment. In general, JSPs/Servlets (or Web components) adopt Java EE (J2EE) Web container role-based authorization mechanisms to restrict access control for Web components and their associated resources. Controlling access to resources from a JSP Web component can be done in several ways using both declarative and programmatic authorizations.

Declarative authorization uses the Web application deployment descriptor <security-constraint> element and its <auth-constraint> sub-element for determining who is authorized and to determine access protection of resources such as URL patterns and HTTP methods. These security constraints work only if the original Web application request URI initiated by the caller via a RequestDispatcher (which include <jsp:include> and <jsp:forward>). This means that the inside the Web application, the application has control over all required resources. It would not forward a user's request to access a resource unless the requesting user had privileges to access them. In addition, the Web container checks to see if the authenticated user belongs to one of the roles defined in the <auth-contraint> tag of the deployment descriptor. If the user does not belong to the specified roles for the resource, the request will be terminated with an error message.

Programmatic authorization uses selected methods in the HTTPServletRequest interface such as getRemoteUser(), IsUserInRole(role) and getUserPrincipal() methods for controlling access to Web resources. Programmatic access control is good for setting dynamic access control rules within a Web application, multi-role access and content-level authorization. It also can be mapped to the declarative mechanisms if the calling user is defined in the <role-name> element of the deployment descriptor. This helps to check whether the user access to the Web application is privileged to launch a specific role-based action or viewing content etc.

In addition to the above core authorization mechanisms, there are several design and implementation strategies for enforcing content-level authorization strategies using JAAS authorization, Filters and JSP Custom Tag libraries. I would also suggest taking a look at the Authorization Enforcer design pattern described in Core Security Patterns.

More information:

Dig Deeper on Topics Archive

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.