How to secure my java web application?

Question

I have a web application in which when users login they reach the mainjsp.jsp page.

In this page there are few text-box for dates and based on dates and selection from another drop-down, data is submitted. This data is retrieved by a servlet and brought back to the mainjsp page.

My concern is about security. Now when I copy paste the mainjsp.jsp page's URL and paste it in any browser this page appears as it is. I don't want this to happen. I want the users to login first and hence I want my web application secure.

I don't have any idea how to do this. Could you please tell me how can I achieve this?

Also please tell me how do I achieve this for any of the pages in the web-application. Users should not be able to access any page if they haven't logged in.

Answer 1

You should have Form based authentication. Here is the snippet which should be added to your web.xml

<security-constraint>
    <web-resource-collection>
        <web-resource-name>pagesWitUnrestrictedAccess</web-resource-name>
        <description>No Description</description>
        <url-pattern>*.jsp</url-pattern>
    </web-resource-collection>
    <user-data-constraint>
        <description>No Description</description>
        <transport-guarantee>NONE</transport-guarantee>
    </user-data-constraint>
</security-constraint>


<login-config>
    <auth-method>FORM</auth-method>
    <form-login-config>
        <form-login-page>/login.jsp</form-login-page>
        <form-error-page>/loginerror.jsp</form-error-page>
    </form-login-config>
</login-config>

Some References:

• Securing Web Applications
• Securing Java EE 5 Web Applications
• Declaring Security Requirements in a Deployment Descriptor

Answer 2

You may check Shiro to use out-of-box security framework and prevent advanced security tricky in web environment.