The JSP Files (part 6): State Of Grace - Access Denied
(Page 9 of 9 )
Here's another simple example which demonstrates some of the methods above,and also illustrates how JSP sessions can be used to protect Web pages withsensitive information.
This example presents a form ("start.html") asking for your name, and takesyou to a new page ("login.jsp") once you submit the form. "login.jsp"creates a session to store the name you entered, and offers a link to"rootshell.jsp", which is the sensitive file to be protected.
So long as the session is active, any attempt to access the page"rootshell.jsp" will succeed. On the flip side, if a session is not active,any attempt to access "rootshell.jsp" by bypassing the initial form willfail, and the user will be redirected to "start.html".
This is a relatively primitive example, but serves to demonstrate one ofthe more common uses of session variables.
All the redirection in this example is accomplished using the Responseobject (you remember this, don't you?)
<html>
<head>
<basefont face="Arial">
</head>
<body>
<!-- start.html -->
<form action="login.jsp" method="post">
<table>
<tr>
<td>Your name</td>
<td><input type=text name=username> <input type="Submit" value="Click
me"></td>
</tr>
</table>
</form>
</body>
</html>
Once the form is submitted, "login.jsp" takes over.
<html>
<head>
<basefont face="Arial"
</head>
<body>
<%
// get the form variable
String username = request.getParameter("username");
// create a session
session.putValue("username", username);
// set a timeout period
session.setMaxInactiveInterval(300);
// display a link to the protected file
out.println("Thank you for using this service.");
out.println("Click <a href=rootshell.jsp>here</a> for root access");
%>
</body>
</html>
And here's the top-secret page.
<html>
<head>
<basefont face="Arial">
</head>
<body>
<%
// rootshell.jsp
// get the username from the session
String username = (String)session.getValue("username");
// if null, security breach!
if (username == null)
{
response.setHeader("Location", "start.html");
}
else
{
// display the protected page
%>
Welcome to your root shell, <b><%= username %></b>!
<p>
Your session ID is <% out.println( session.getId() ); %>
<p>
This session will expire in <% out.println(
session.getMaxInactiveInterval() ); %> seconds.
<%
}
%>
</body>
</html>
To test this, first log in and find your way to "rootshell.jsp" - youshould have no trouble accessing it. Then close the browser, start it upagain, and try to get to "rootshell.jsp" without going through the loginprocess; you should be automatically redirected to the login page.
And that's about it. You should now have a pretty clear idea of how JSPattempts to solve the "stateless protocol" problem, together with someunderstanding of how to create and use both client-side cookies andserver-side sessions. Go practice!
| DISCLAIMER: The content provided in this article is not warranted or guaranteed by Developer Shed, Inc. The content provided is intended for entertainment and/or educational purposes in order to introduce to the reader key ideas, concepts, and/or product reviews. As such it is incumbent upon the reader to employ real-world tactics for security and implementation of best practices. We are not liable for any negative consequences that may result from implementing any information covered in our articles or tutorials. If this is a hardware review, it is not recommended to open and/or modify your hardware. |
