9.2. Web-Based Security
To secure the web site, we need to do the following:
9.2.1. Protecting the Administrative Pages
J2EE provides Declarative Security, so rather than writing code to protect our resources, we can accomplish this through URL patterns and deployment descriptors. If you'll recall, the Car Inventory page (carList.jsp), as shown in Figure 9-1, enables you to view and modify the JAW Motors inventory.
Figure 9-1. JAW Motors Car Inventory page
We also must protect the Add/Edit Car page (carForm.jspyou see this page when you press the "Add Car" or "Edit" link on the Car Inventory page) (Figure 9-2).
Figure 9-2. JAW Motors Add/Edit Car page
We first move carList.jsp and carForm.jsp to a sub-directory under WEB-INF (in the WAR file) called admin to differentiate these protected pages from the public pages. Now our pages in the WAR file look like this:
To access these pages, you would now use this URL as a prefix: http://localhost:8080/ch09/admin/
But we still need to restrict access to the administrative pages by creating security roles and associating them with these URL patterns in web.xml.