9.2. Web-Based SecurityTo secure the web site, we need to do the following:
9.2.1. Protecting the Administrative PagesJ2EE provides Declarative Security, so rather than writing code to protect our resources, we can accomplish this through URL patterns and deployment descriptors. If you'll recall, the Car Inventory page (carList.jsp), as shown in Figure 9-1, enables you to view and modify the JAW Motors inventory. Figure 9-1. JAW Motors Car Inventory pageWe also must protect the Add/Edit Car page (carForm.jspyou see this page when you press the "Add Car" or "Edit" link on the Car Inventory page) (Figure 9-2). Figure 9-2. JAW Motors Add/Edit Car pageWe first move carList.jsp and carForm.jsp to a sub-directory under WEB-INF (in the WAR file) called admin to differentiate these protected pages from the public pages. Now our pages in the WAR file look like this:
To access these pages, you would now use this URL as a prefix: http://localhost:8080/ch09/admin/ But we still need to restrict access to the administrative pages by creating security roles and associating them with these URL patterns in web.xml. |