[ajug-members] JSP justification??

Jason Kretzer/STAR BASE Consulting Inc. JKretzer at starbaseinc.com
Tue Jul 20 11:23:53 EDT 2004 

A session is started once a person opens a browser and goes to your 
website and accesses a servlet/jsp.  The session is discarded when they 
close their browser.  The session only exists on the server for as long as 
the user is accessing your servlets/jsp.  As it is local to the server, I 
believe it is very secure.  Only your servlets/jsp can access the session.

A basic overview:  With built in J2EE security you can set roles for your 
users.  Then you can set which roles can access what pages.  This is 
usually available in application servers like WebSphere.  Not sure if it 
is in JBoss or Tomcat.

I use 5/3rd as well and logged in.  Look at the URL after logging in and 
you will see "servlet" in it.  They are at least using servlets there.

I work in Cincinnati but live just across the river in KY in Fort Thomas. 

-Jason





Lykins Don H Contr AFSAC/ITS <Don.Lykins at wpafb.af.mil> 
07/20/2004 11:12 AM

To
"'Jason Kretzer/STAR BASE Consulting Inc.'" <JKretzer at starbaseinc.com>
cc

Subject
RE: [ajug-members] JSP justification??






I see you are in Cincy...I work in Dayton but live in Loveland.
 
I have looked into the session variable setting with 
session.setattribute(). 
Is it secure?
can anyone set a session attribute?
what do you mean "its not quite as good as J2EE security" --- what is J2EE 
Security???
 
I have an account at 5/3rd (checking/savings) and can't find JSP's in use 
on www.53.com
..do you know where they use them?
-----Original Message-----
From: ajug-members-bounces at ajug.org [mailto:ajug-members-bounces at ajug.org]
On Behalf Of Jason Kretzer/STAR BASE Consulting Inc.
Sent: Tuesday, July 20, 2004 11:07 AM
To: General AJUG membership forum (100-200 messages/month)
Subject: Re: [ajug-members] JSP justification??


Don, 

1.  Another way of securing the JSP is to have it look in the session for 
a particular value that is placed in the session by an earlier servlet. 
Have the jsp throw an error if it is not there.  I admit it is not quite 
as good as J2EE security but it does help... 

2.  google for 'round trip processing jsp' minus the quotes.  this is one 
way that jsp's can be reused. 

3.  Fifth Third Bank(Cinicinnati) uses them. 

Hope this helps. 

-Jason 




Lykins Don H Contr AFSAC/ITS <Don.Lykins at wpafb.af.mil> 
Sent by: ajug-members-bounces at ajug.org 
07/20/2004 09:00 AM 

Please respond to
"General AJUG membership forum \(100-200 messages/month\)" 
<ajug-members at ajug.org>



To
"'ajug-members at ajug.org'" <ajug-members at ajug.org> 
cc

Subject
[ajug-members] JSP justification??








I have been asked to justify my request to use JSP's.

The main issue appears to be with security..

1. how is everyone securing their JSP's
                 --- so you can't type the URL's directly.

2.  Do JSP's facilitate re-use? if so, how

3. Any large financial institutions using JSP's for secure transactions?



Don Lykins
AFSAC
937-257-4295 x4539
don.lykins at wpafb.af.mil


_______________________________________________
ajug-members mailing list
ajug-members at ajug.org
http://www.ajug.org/mailman/listinfo/ajug-members

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.ajug.org/pipermail/ajug-members/attachments/20040720/480f9c58/attachment.html

More information about the ajug-members mailing list