How to secure my java web application?
Solution 1
You should have Form based authentication. Here is the snippet which should be added to your web.xml
<security-constraint>
<web-resource-collection>
<web-resource-name>pagesWitUnrestrictedAccess</web-resource-name>
<description>No Description</description>
<url-pattern>*.jsp</url-pattern>
</web-resource-collection>
<user-data-constraint>
<description>No Description</description>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/login.jsp</form-login-page>
<form-error-page>/loginerror.jsp</form-error-page>
</form-login-config>
</login-config>
Some References:
- Securing Web Applications
- Securing Java EE 5 Web Applications
- Declaring Security Requirements in a Deployment Descriptor
Solution 2
You may check Shiro to use out-of-box security framework and prevent advanced security tricky in web environment.
Reuben Kurian
Updated on February 03, 2020Comments
-
Reuben Kurian about 4 years
I have a web application in which when users login they reach the
mainjsp.jsppage.In this page there are few text-box for dates and based on dates and selection from another drop-down, data is submitted. This data is retrieved by a
servletand brought back to themainjsppage.My concern is about security. Now when I copy paste the
mainjsp.jsppage's URL and paste it in any browser this page appears as it is. I don't want this to happen. I want the users to login first and hence I want my web application secure.I don't have any idea how to do this. Could you please tell me how can I achieve this?
Also please tell me how do I achieve this for any of the pages in the web-application. Users should not be able to access any page if they haven't logged in.