aspose file tools*
The moose likes JSP and the fly likes check if user has access to a specific page. Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Spring in Action this week in the Spring forum!
JavaRanch » Java Forums » Java » JSP
Bookmark "check if user has access to a specific page." Watch "check if user has access to a specific page." New topic
Author

check if user has access to a specific page.

Dave Bosky
Ranch Hand

Joined: Dec 16, 2003
Posts: 72
I'm fairly new to the java/jsp world. For authentication on jsp pages I understand I should use some kind of servlet to check if a user has access to a specific page, right?

A user gets presented with a login screen, they enter their usr/pwd, and click the login button. The login form action should go to a authentication servlet to validate/login the user and assign which pages they have access to view, right?

I've been sending the form action to another JSP page to validate the user and then do a check at the top of each JSP to see if they have access to that specific page. I've been told this isn't the proper way to do authentication.

If I did use a servlet for authentication how would I prevent the user from directly accessing a jsp page that they don't have access to? Do I need some specific code at the top of each JSP to prevent this?

Thanks,
Dave
Bear Bibeault
Author and ninkuma
Marshal

Joined: Jan 10, 2002
Posts: 61426
    
  67

In my opinion, the best way to do this would be with a filter rather than a servlet, and certainly not with a bunch of goo on each page.


[Asking smart questions] [Bear's FrontMan] [About Bear] [Books by Bear]
Dave Bosky
Ranch Hand

Joined: Dec 16, 2003
Posts: 72
Could you explain what a filter is? I've not heard the term used with java/jsp before. Why would a filter be better than a servlet?

Thanks Again!
~Dave
Bear Bibeault
Author and ninkuma
Marshal

Joined: Jan 10, 2002
Posts: 61426
    
  67

Because in order to use a servlet you'd need to send every request through the servlet. If you have a single Front Controller, that's not too big an issue (though I'd argue that the filter is still architecturally preferable). But if not, then you'd need to play URL games, and life is just too short for that.

By defining a filter, the filter is associated with a URL pattern and will be invoked for any request matching the pattern. The filter can then decide whether to allow the request to process normally (if authentication succeeds) or to forward to another resource (like an error page or whatever makes sense if the authentication fails).

As such, the filter is independent of your pages and servlets and vice versa. Nice, eh?

Look up javax.servlet.Filter for more info.
Bear Bibeault
Author and ninkuma
Marshal

Joined: Jan 10, 2002
Posts: 61426
    
  67

OnJava article on filters.
Dave Bosky
Ranch Hand

Joined: Dec 16, 2003
Posts: 72
Thanks for the Filter information. I've been reading up on the over the weekend
and they seem pretty cool.
I have one other question related to my original question.

So to control individual page access for users I would use 2 filters.
Filter 1: Check if the user is logged into the application.
Filter 2: Verify the user has access to this specific page.

Thanks Again.
Dave
Bear Bibeault
Author and ninkuma
Marshal

Joined: Jan 10, 2002
Posts: 61426
    
  67

If it makes sense to logically separate them, yes. If the logic is the same, you could also combine them into a single filter. Whatever makes sense for your app. (Personally, I'd probably write the two separate filters for greater flexibility).
 
It is sorta covered in the JavaRanch Style Guide.
 
subject: check if user has access to a specific page.