Re: workaround to suspend the session object
- From: Babu Kalakrishnan <bkk.ngroup@xxxxxxxxx>
- Date: Thu, 31 Aug 2006 17:54:53 +0530
Gaurav wrote:
I have a application called as "SUN Identity Managaer" . once the user
authenticates using username/password, I redirect it to the custome
page ( please read... I REDIRECT IT TO THE CUSTOM PAGE ), where I ask
him second level of authentication questions.
But the problem here is that , once the first level of authentication
is passed , the internal session objects ( which are not known to us )
is already set, and thus any knowledgeable user can log into the
application by simple typing the end page in the address bar, while the
second page for authentication is on the screen .
Your authentication need not be limited to what the container has performed for you. (I assume that's what you mean by the "first level"). Your servlet code that handles the submit from this second level authentication screen could set some special attribute in the session if and only if that level of authentication has been completed succesfully (e.g. session.setAttribute("AUTHENTICATED","YES") ) - and your servlet could deny requests to any other protected page if that special attribute is not found in the session.
BK
.
- References:
- workaround to suspend the session object
- From: Gaurav
- workaround to suspend the session object
- Prev by Date: Re: Running java programs from class files
- Next by Date: Re: What replaces StringBufferInputStream
- Previous by thread: workaround to suspend the session object
- Next by thread: mac using a microphone does not work in java
- Index(es):
Relevant Pages
|
