Java Mailing List Archive

http://www.junlu.com/

Home » Home (12/2007) » Tomcat Users »

RE: restricting access to jsp pages

Bruno Melloni

2004-01-15

Replies:

A trivial solution is to store something (anything) in the user session during login, and then retrieve it in the JSP. If the retrieved value is not null, then the user is logged in. If the user is not logged in, you can redirect him to the login or an error page.

Of course, this is only one possible solution. Others exist. Which is best depends on what you are trying to accomplish in your site.

b.

-----Original Message-----
From: ext Merrill Cornish [mailto:merrill.cornish@(protected)]
Sent: Thursday, January 15, 2004 9:37 AM
To: Tomcat Users List
Subject: Re: restricting access to jsp pages


I'm confused.

>>> I don't want the user to have to log in, ...
>>> I can't find in the docs how Tomcat knows whether the user has logged in yet,

Question: Do you want your users to log in or not--nevermind who does it?

>>> I want to have my "guard" servlet authenticate the user

How is that different from log in? Regardless of what you call it or whether it's done by a JSP page or a servlet, the user is going to have to identify himself to the guard servlet--and that's logbin, even if the phrase "log in" is never shown to the user.

In my own application, each of the JSP pages that needs the user to be logged in before coming to the page start with this:

<%
if (Util.verifyLogin(session, response)) {
  // then we are logged in
 
  ... // other Java code needed for the page initialization
%>

... <!-- the JSP page itself -->

<% }//then logged in %>


If Util.verifyLogin() determine--in whatever manner--that the user is not yet logged in, it redirected to the login page (or whatever you are using to determine who the user is) and returns false. It it returns false, the rest of the JSP page is skipped, since the loggin page is being displayed.

In my case, Util.verifyLogin() determines that the user is logged in by checking that session is not null and that a certain session attribute set by the login servlet is not null.

In servlets, the test is

if (Util.verifyLogin(session, response)) { return; }

Merrill





---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@(protected)
For additional commands, e-mail: tomcat-user-help@(protected)


---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@(protected)
For additional commands, e-mail: tomcat-user-help@(protected)



©2008 junlu.com - Jax Systems, LLC, U.S.A.