-1

I am developing a web application using Facelets and Entity-Controller-EJB structure. In the application, there are contents which are reachable only if you are logged. A bean checks the login state every time you click on a button/link for the restricted contents, and redirects you either to the selected page or to the login page.

I thought that this way is not safe, as you can write the link directly in the browser instead of generating it from a button that checks the bean. So what should I do? Is there a render option embeddable in each page or should I write a javascript function? In this case, what should I do? I have studied js fundamentals but don't really know how to implement this control! Thank you for reading!

Tajkia Rahman Toma
  • 472
  • 1
  • 5
  • 16
Crimson
  • 1
  • 3

1 Answers1

0

You cannot rely only on frontend to deny access to some parts of a web application.

This because all the HTML/CSS/Javascript is downloaded on users' browser, so they can read your code and your authentication mechanism, and understand how to bypass it (or just disable it).

More on this: Why are browsers allowed to display client-side source code?

What you need is implementing some security mechanism in the backed.

The simplest one is to delegate this to your webserver (here the instructions for Apache) and then use something similar to this to do login.

Another way is to have a proper backend: you send data to it (email/password) and it provides you a token that you use to access protected resources.

Or also, dinamically create your documents on server side, only if the user is authenticated.

Community
  • 1
  • 1
rpadovani
  • 7,101
  • 2
  • 31
  • 50
  • Well, I know that mine was a simple way to login. So, having a form where you write user and pass (values stored in a bean), and then activating the "Login" button that tries to pull from the database an user with the same name (if exists) and then match password, is it totally unsafe? Why? – Crimson Jul 18 '16 at 17:40