How can I restrict access to a page to authorized users only?

It might seem easy to add an ‘Authorized’ value to the Session bean for an application developed with NetBeans Visual Web Pack. In this case each protected page could check that value, and send the user elsewhere if it wasn't set. But it can be tedious to put that sort of check into every page bean. Two commonly implemented approaches in Java platform based web apps – not unique to NetBeans applications – are:

  • Container Managed Security — container managed security enables you to declare security constraints that are mapped to URLs within web app, and basically state that "in order to access this URL, you must be logged in and possess this particular authorization role." If a non-logged in user tries to access that link, the container makes them log in first, before displaying the requested page. Any competent book that covers the servlet API should include information on how this is set up.
  • Servlet Filter – a servlet filter can be used to simulate the same functionality, but in this case is part of the application instead of part of the container. There is an open source package that achieves this functionality called "SecurityFilter" (available at SourceForge). Set up documentation is included.

The advantage of either of these approaches is that the authentication and authorization checks are centralized in one place, preventing the possibility of forgetting to implement it on a particular page. The SecurityFilter API is modeled after container managed security, making it easy to design web pages that can work with either system.

A quirk of applications based on JavaServer Faces (JSF) technology (including those built with NetBeans) is that you need to protect pages with
or {*.faces} URLs, not *.jsp URLs. That's because the actual request for, say the Admin.jsp page is really directed to /faces/Admin.jsp (if prefix mapping is used) or /Admin.faces (if extension mapping is used). Use
getExternalContext().isUserInRole(String role)
to determine if the user currently logged on has a specified role. You can use this in a page to determine whether or not to render a visual component based on the user's role. Suppose a user may be assigned to the role of "Administrator", "User", or "Manager". To display an Output Text component on {Page1.jsp} only if the user is a manager, set a value binding on the rendered property of the component to a getter method that returns isUserInRole("Manager"). For example:
  1. Define a property on your page bean by copying the getter method below to the end of Page1.java:
public boolean isManager() { 
 return getExternalContext().isUserInRole("Manager"); 
  2. Set the rendered property for the component to false (unchecked in the Properties window).
3. Edit
source, replacing the value "false" with "{#{Page1.manager}}", so your code looks like:
 binding="#{Page1.outputText1}" id="outputText1" rendered="#{Page1.manager}" 
 style="left: 48px; top: 48px; position: absolute"/>

  Applies to: NetBeans 5.5
  Platforms: All
Not logged in. Log in, Register

By use of this website, you agree to the NetBeans Policies and Terms of Use. © 2012, Oracle Corporation and/or its affiliates. Sponsored by Oracle logo