Restrict JSP/Servlet access to specific users only
https://stackoverflow.com/questions/3134228
-
01-10-2019 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
I'm developing a web app. I'd like to be able to let some friends see it, but not others that stumble upon the url. I was going to put a landing page and then a simple password box. Once the correct password is entered, I'd just record it in the session and expose the site as usual for the rest of the time they keep the browser open.
Is there a standard way to do this? I'd be adding extra code to my webapp to support this, I'm not sure if there's a built-in way to do it already (I'm using java servlets).
Thanks
Solution
You can use container managed authentication using deployment descriptors. This requires no extra code in your side expect of a simple login form with an input and password field which submits to the URL j_security_check. Here's a basic example:
<form action="j_security_check" method="post">
<input type="text" name="j_username">
<input type="password" name="j_password">
<input type="submit">
</form>
Assuming that you've private pages in a folder named /private and the above login page is located in /private/login.jsp, then add the following entries to the webapp's web.xml:
<security-constraint>
<web-resource-collection>
<web-resource-name>Private</web-resource-name>
<url-pattern>/private/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>friends</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<realm-name>Private</realm-name>
<form-login-config>
<form-login-page>/private/login.jsp</form-login-page>
<form-error-page>/private/error.jsp</form-error-page>
</form-login-config>
</login-config>
Then, in the servletcontainer which you're using you need to configure a so-called Realm for Private. Since it's unclear which servletcontainer you're using, here's a Tomcat 8.0 targeted document: Realm Configuration HOW-TO. You can configure it to verify the username/password combo against a XML file or a database or even a custom location.
A completely different alternative is to homegrow a login mechanism with help of a Filter which checks the presence of the logged-in user in the session scope. See this and this answer how to achieve this.
OTHER TIPS
You should think about using simple authentication using htaccess
See http://www.elated.com/articles/password-protecting-your-pages-with-htaccess/
