I'm fairly new to the java/jsp world. For authentication on jsp pages I understand I should use some kind of servlet to check if a user has access to a specific page, right?
A user gets presented with a login screen, they enter their usr/pwd, and click the login button. The login form action should go to a authentication servlet to validate/login the user and assign which pages they have access to view, right?
I've been sending the form action to another JSP page to validate the user and then do a check at the top of each JSP to see if they have access to that specific page. I've been told this isn't the proper way to do authentication.
If I did use a servlet for authentication how would I prevent the user from directly accessing a jsp page that they don't have access to? Do I need some specific code at the top of each JSP to prevent this?
Because in order to use a servlet you'd need to send every request through the servlet. If you have a single Front Controller, that's not too big an issue (though I'd argue that the filter is still architecturally preferable). But if not, then you'd need to play URL games, and life is just too short for that.
By defining a filter, the filter is associated with a URL pattern and will be invoked for any request matching the pattern. The filter can then decide whether to allow the request to process normally (if authentication succeeds) or to forward to another resource (like an error page or whatever makes sense if the authentication fails).
As such, the filter is independent of your pages and servlets and vice versa. Nice, eh?
If it makes sense to logically separate them, yes. If the logic is the same, you could also combine them into a single filter. Whatever makes sense for your app. (Personally, I'd probably write the two separate filters for greater flexibility).