|
|
Featured White Papers
- Measuring Risk to Improve Java Software Quality
- Do You Really Get Classloaders?
- Pragmatic Continuous Delivery with Jenkins, Nexus, and LiveRebel
- Your Next Java Web App: Less XML, No Long Restarts, Fewer Hassles
- Coding with JRebel, Java Forever Changed
- 2012 Developer Productivity Report: Java Tools, Tech, Devs, and Data
Sponsored Links
-
Graph databases are 1000x faster than relational.
Learn More!
-
Career opportunities at Harman- Careers That'll Rock Your Socks Off.
Learn More!
-
Developer-friendly Java PDF libraries by Qoppa Software
Live Demos
-
Stop blaming your app! Diagnose Java performance issues.
Free tool >
-
UrbanCode: Go From Continuous Integration to
Continuous DeliveryLearn More!
Sponsored Links
Optimize with a SATA RAID Storage Solution
Range of capacities as low as $1250 per TB. Ideal if you currently rely on servers/disks/JBODs
Solving the logout problem properly and elegantly
Solutions for JSP pages and Struts
Many Web applications do not contain overly confidential and personal information like bank account numbers or credit card data. But some do contain sensitive data that requires some sort of password protection scheme. For example, in a factory where workers must use a Web application for entering timesheet information, accessing their training courses, and reviewing their hourly rates, etc., employing SSL (Secure Socket Layer) would be overkill (SSL pages are not cached; the discussion of SSL is beyond the scope of this article). But certainly these applications do require some kind of password protection. Otherwise, workers (in this case, the application's users) would discover sensitive and confidential information about all factory employees.
Similar examples to the situation above include Internet-equipped computers in public libraries, hospitals, and Internet cafes. In these kinds of environments where users share a few common computers, protecting users' personal data is critical. At the same time, well-designed and well-implemented applications assume nothing about the users and require the least amount of training.
Let's see how a perfect Web application would behave in a perfect world: A user points her browser to a URL. The Web application displays a login page asking the user to enter a valid credential. She types in the userid and password. Assuming the supplied credential is correct, after the authentication process, the Web application allows the user to freely access her authorized areas. When it's time to quit, the user presses the page's Logout button. The Web application displays a page asking the user to confirm that she indeed wants to log out. Once she presses the OK button, the session ends, and the Web application presents another login page. The user can now walk away from the computer without worrying about other users accessing her personal data. Another user sits down at the same computer. He presses the Back button; the Web application must not show any of the pages from the last user's session. In fact, the Web application must always keep the login page intact until the second user supplies a valid credential—only then he can visit his authorized area.
Through sample programs, this article shows you how to achieve such behavior in a Web application.
JSP samples
To efficiently illustrate the solution, this article starts by showing the problems encountered in the Web application, logoutSampleJSP1. This sample application represents a wide range of Web applications that do not handle the logout process properly. logoutSampleJSP1
consists of the following JSP (JavaServer Pages) pages: login.jsp, home.jsp, secure1.jsp, secure2.jsp, logout.jsp, loginAction.jsp, and logoutAction.jsp. The JSP pages home.jsp, secure1.jsp, secure2.jsp, and logout.jsp are protected against unauthenticated users, i.e., they contain secure information and should never appear on the browsers
either before the user logs in or after the user logs out. The page login.jsp contains a form where users type in their username and password. The page logout.jsp contains a form that asks users to confirm that they want to indeed log out. The JSP pages loginAction.jsp and logoutAction.jsp act as the controllers and contain code that carries out the login and logout actions, respectively.
- Feedback
More from JavaWorld
Resources
- Download the code that accompanies this article
http://www.javaworld.com/javaworld/jw-09-2004/logout/jw-0927-logout.zip - "J2EE SecurityContainer Versus Custom," Brian Pontarelli (JavaWorld, July 2004)
http://www.javaworld.com/javaworld/jw-07-2004/jw-0726-security.html - Hypertext Transfer Protocol—HTTP/1.1 (RFC 2616)
http://www.ietf.org/rfc/rfc2616.txt - Caching Tutorial
http://www.mnot.net/cache_docs - HTTP Caching in Mozilla
http://www.mozilla.org/projects/netlib/http/http-caching-faq.html - Opera knowledge baseCache control headers
http://www.opera.com/support/search/supsearch.dml?index=82 - Prevent caching in Internet Explorer
http://support.microsoft.com/default.aspx?scid=kb;EN-US;234067 - JavaWorld has published numerous articles on Struts, including the following
-
- "Struts Best Practices," Puneet Agarwal (September 2004)
- "Jump the Hurdles of Struts Development," Michael Coen and Amarnath Nanduri (April 2003)
- "Boost Struts with XSLT and XML," Julien Mercay and Gilbert Bouzeid (February 2002)
- For more articles on security, browse the Security section of JavaWorld's Topical Index
http://www.javaworld.com/channel_content/jw-security-index.shtml - Also, browse the JavaServer Pages (JSP) section of JavaWorld's Topical Index
http://www.javaworld.com/channel_content/jw-jsp-index.shtml?
About Us | Advertise | Contact Us | Terms of Service/Privacy | AdChoices
Copyright, 2006-2013 Infoworld, Inc. All rights reserved.
Archived Discussions (Read only)
(