Java Web Application 2nd Level Security for Sensitive Pages

I'm building a web application which features buying and selling, mean i will have to collect the user credit card information. So i want the user to re authenticate him开发者_JAVA技巧self to access the sensitive pages like change password, update/delete credit card etc.

I'm using Struts, Springs and Hibernate

I've worked out a little scheme here, but I'd like to get some feedback and criticism.

• Maintain a list of sensitive page urls in spring beans.
• Create a servlet filter which finds whether the page is sensitive or not, if page is sensitive it checks for sensitive token (token will have time when it is created) in session
• If token is not present or token life is more than 5 minute, redirect the user to authentication page again.
• The Authentication page, upon successful login will create a token and puts that in session.

This means the user can access the sensitive pages for only 5 minutes upon single authentication.

Is there any other better way ? Thanks in advance.

If the implementation is done in filter this configuration may be stored as a filter's configuration parameters in web.xml.

BTW I think that redirecting user to the login page may decrease the usability. Did you probably think about just adding the password field to page where use types credit card? In this case you can significantly simplify your system.

Re-authentication is a very good approach when doing sensitive operations but there are also benefits in completely avoiding certain tasks - perhaps the handling of credit card information can be handled by some third-party?