Meaningless Drivel is fun!
The moose likes JSP and the fly likes MVC, JSP/Servlet/Bean Design Issue Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Java » JSP
Bookmark "MVC, JSP/Servlet/Bean Design Issue" Watch "MVC, JSP/Servlet/Bean Design Issue" New topic

MVC, JSP/Servlet/Bean Design Issue

Andrew Kenny

Joined: Mar 26, 2002
Posts: 3
I'm fairly new to Java and servlets, etc., but I need to clarify a design issue using the MVC model with JSP, Servlets and Beans.
The Objective
I'm writing a user authentication system that allows a user to use a website without registering. Once registered (as one of 3 types of users), they are allowed more privileged access to certain areas.
My Current Solution
I have an abstract User class and 4 other classes for each of the users that extend the User class. These are:
  • Unknown
  • Type1
  • Type2
  • Type3

  • Unknown is the un-authenticated user.
    I've tried to implement this using 1 Controller servlet which accepts a POSTed form from a JSP page to authenticate the user. The servlet creates an instance of UserBean (a bean that deals with the creation of the appropriate user-type class), and is put into the current session.
    Once logged in, the user is then redirected to a home page (by the servlet) that is relevant to the current user (eg Type2 will go to type2.jsp)
    That works with no problems.
    The Problem
    My problem is that a user who hasn't logged in can just type type2.jsp and access the page.
    What I want it to do is deny the user by redirecting them to their appropriate login page (say type2-login.jsp).
    I have been using PHP professionally for a while, and this was overcome by simply bunging an 'isLoggedIn and user==type2' check in code within the PHP page, but I want to ensure code and design separation, so I assume that a check in JSP is a no-no, the most logical place seems to be the Servlet that's acting as a Traffic Cop as someone put it.
    But I can't see how this would work because the page can't tell the Servlet to 'kindly, check the user has logged in and is sufficiently privileged, and if not redirect him to an appropriate login page'. Or can it?
    Apologies for the long post, but I'm not able to proceed unless I can get a handle on the correct way to do it.
    Thanks in advance,
    [ March 26, 2002: Message edited by: Andrew Kenny ]
    Axel Janssen
    Ranch Hand

    Joined: Jan 08, 2001
    Posts: 2164
    The "core j2ee Patterns"-book proposes a simple, pragmatic solution to your problem.
    Just put the jsps, which only should be accessed via MVC-forwarding from Controller, in the WEB-INF directory. You may create an extra folder (I use WEB-INF/jsp/.
    All files under the WEB-INF can't be accessed directly.
    I havent tried, but I think a 404 Error is returned (correct me if I am wrong, to late for testing), when users are trying to access those pages directly. You can then redirect all 404 errors to the login page via deployment descriptor.
    [ March 26, 2002: Message edited by: Axel Janssen ]
    Andrew Kenny

    Joined: Mar 26, 2002
    Posts: 3
    thanks for the reply, but the solution you suggest wouldn't be acceptable. It needs to redirect the user, rather than display an error page.
    Also, it's more of a design solution I'm after, as I know I'll encounter similar situations as I continue writing the application.
    I'll make a note of the idea though, as I'm sure it'll come in handy
    Parag Shah

    Joined: Jan 23, 2002
    Posts: 26
    You can create a custom JSP Tag library which verifies if the user is allowed access to the jsp page. The Tag code will check the User Object type and see if the current page is accesible by the user. Such mappings can exist in a properties file. If you do not with to use property files then pass as parameters to the tag all user object types that should be allowed access to that page. The tag body when executed will redirect the user to an "Access Denied" page if the user is not allowed access to the page.
    Your tag body can be some like this.
    <security:accesscontrol />
    Here your tag code will have to refer a properties file to check if the current User object in the session has access to this page.
    <security:accesscontrol users="com.something.Type1 com.something.Type2" />
    In this case your Tag code will simply validate if the current User Object is of one of the types specified.
    Hope this helps
    Do It Yourself Computer Science
    Andrew Kenny

    Joined: Mar 26, 2002
    Posts: 3
    It's a decent solution, but not really what I'm after.
    There must be a standard way of doing this sort of thing, whether it's for authentication, or some other task.
    Basically, I want to hide away the logic for the authentication in a class or a servlet so the JSP pages contain the least amount of code (or none).
    Pranit Saha
    Ranch Hand

    Joined: Sep 09, 2001
    Posts: 130
    Originally posted by Andrew Kenny:
    whenever u r checking the users login.. that time, if the user is valid place that username in a Session.. and in each page check whether Session is null or not.. like..
    Thanks and regards,
    Parag Shah

    Joined: Jan 23, 2002
    Posts: 26
    Its possible to keep minimum code in the JSP. You must ensure that JSP pages are not refferenced directly, but are always forwarded or redirected to by a controller servlet The client GET/PUT request always goes to a controller servlet which will do the preliminary authentication/access control and pass on control to the JSP only if the criteria are met, if not the user is redirected to some error page ("access denied" maybe).
    There are some libraries/frameworks which take care of access control. Jakarta Turbine is one of them ( You may also want to check out JAAS (Java Authentication and Access Control Standard) from sun. There are also some papers on the net for standard ways to implement security... but I cant seem to remember where I saw them.
    Joe Pardi
    Ranch Hand

    Joined: Oct 03, 2001
    Posts: 47
    Maybe you could use J2EE security to do as you wish. For example, put the pages associated to each type of user into a dedicated directory for that type. For example,
    Then put security constraints on each directory.
    Please something like this in your web.xml
    <description>Type 1 users</description>
    You would have a role for each user type. The roles and users are implemented using J2EE security. How this is actually achieved depends on which JSP container you're using.
    When a user is registered, they are assigned to a role. Their role determines which directory they have access to. The container manages this for you. If you want to programmatically check, you can use the isUserInRole() method in the HttpServletRequest class to determine if a user is in a particualr role.
    Hope this helps ...
    I agree. Here's the link:
    subject: MVC, JSP/Servlet/Bean Design Issue
    jQuery in Action, 3rd edition