• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

Create a webapp around an existing webapp for handling session control

 
Greenhorn
Posts: 16
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hello,

I have a customer who has an existing web application. This application is freely accessible. Now, he wants to commercialize the application.

The way to do this is by adding a system with subscriptions, so that a user has to log in to view the application. So far, no problem.

The problem comes in the fact that the existing web application was not developed by me, but by others. My client doesn't want to change the code in the existing application, he wants me, if possible, to create a new small web application around the existing one that handles session control.

This means that everytime a page of the existing application is accessed, a check needs to be performed by the new small application to see whether the user has allready a session, or not. If not, the user needs to login.

I have talked to someone who has done someting similiar, but that was in .net. It seems that on microsoft iis it is possible to configure that everytime a page of an application is accessed, a code snippet is automatcly run. This way the session check is performed.

The existing web application runs on tomcat webserver.
Can it be done? If so, how?

Thanks in advance,

Thierry
 
Sheriff
Posts: 13411
Firefox Browser VI Editor Redhat
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
This is a textbook case for servlet filters.
Filters can intercept request going to or coming from any resource on your server (servlets, JSPs, static resources).
What gets intercepted is determined by URL mappings that you set in the deployment descriptor.

I have an example app that does this (and a bit more) on my site:
http://simple.souther.us/not-so-simple.html
Look for SessionMonitor.


Depending on your clients needs, you may also be able to do this with declarative security right from your deployment descriptor.
Take a look at SRV.12.8 in the ServletSpec (link in my signature).
You may find that the container already has all the security that you need.
 
Thierry Collogne
Greenhorn
Posts: 16
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
That seems like a good idea, I have done a little test with it and it works.

But, now I have another problem. If a user is not logged, I want to forward to
a url that is not within the application (for example google.com).

How do I do that?
 
Ben Souther
Sheriff
Posts: 13411
Firefox Browser VI Editor Redhat
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I gave two ideas.
Which were you trying?

I'm not sure how to do this with declarative security but here's how I usually do it (programmatic):

Upon a successful login, bind an object to session (call it userBean).
Then use a filter to intercept every request.
In the filter, check for the existence of the userBean.
If it's there (not null) let the request go through.
If not, forward the user to the login screen.

This is what I do in that example app mentioned earlier.
[ December 02, 2005: Message edited by: Ben Souther ]
 
Thierry Collogne
Greenhorn
Posts: 16
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
That is also the way I check for a session, but the problem here is that the login screen is another application, so if I create a session in the application with the login screen, the session is not known by the other application.

I have read about a way of sharing the session, but I still have to try that.
But, here comes the question I asked above.
Since the login screen is in a different application from the filter class, how can I forward from the filterclass to the login screen. If you forward you use a mapping, but is it possible to use a absolute url to forward to.

This example will clarify

Url from application where filter class resides

http://testserver/archiveapplication

URL of the login screen
http://testserver/loginapplication/welcome.do

So can I forward from the filterclass in "http://testserver/archiveapplication" to the login screen in the other application. So forward to "http://testserver/loginapplication/welcome.do".


Hope this makes it a bit clearer,

If you could help me with this, I would be very gratefull,


Many thanks
 
Ranch Hand
Posts: 489
Eclipse IDE Tomcat Server Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Just to set the context - I had responded to the same query by Thiery in another forum and suggested the same that Ben did here. Here's my post


you would make your changes in such a way that you neednt touch the existing code in any fashion. In other words, you add some more new control logic.

The control logic would be in the form of filters.
One functionality that a filter (look at http://java.sun.com/products/servlet/Filters.html for a crash course) does is to block requests based on a user identity.

So all requests to the existing web application would first be assigned to this filter (which would eseentially do the same task as the script your friend talked about in .NET). The filter would block the request and when it finds no valid session associated with that request would redirect the request to your web application which would perform whatever is required.

Now comes the next part, which is an even tougher nut to crack - in java sessions are not sharable across web applications. In short when you associate an user to a session in one web application, there's no way for the other web application can access or share this data.

1. In tomcat, one context can be accessed from another by defining the two contexts to be 'sharable' in 'context.xml - I tried this once long back and the results were quite unpredictable.

The api support is the getContext(String otherContext) method of the context object.

2. Hold this info in a mutually sharable db/file/serialized object.



You will notice from the above, that you will have to call a redirect api rather than forward to the other application.

And after that, comes the question of how you are going to solve the session sharing problem, which may be the most difficult of all.

cheers,
ram.
 
Ben Souther
Sheriff
Posts: 13411
Firefox Browser VI Editor Redhat
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
That is also the way I check for a session, but the problem here is that the login screen is another application, so if I create a session in the application with the login screen, the session is not known by the other application.

At the moment there is no spec compliant way to share sessions across contexts. The container you're using may have additional functionality to do this.
You would need to check with your server's documentation.
 
Thierry Collogne
Greenhorn
Posts: 16
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Thanks for the replies. I hav found another solution. Tomcat has something called "valves". They are basically the same as filters, but there is no need for altering the existing application.

Here are some links

http://tomcat.apache.org/tomcat-5.5-doc/config/valve.html

http://support.borland.com/entry.jspa?externalID=2592&categoryID=121


For sharing the session I wil use this solution

http://www.fwd.at/tomcat/sharing-session-data-howto.html


I use the part of getting the session id, but I hold my user information in a database with the session id as primary (unique) key.
For session invalidation I will create job that will check in the database if a session should be invalidated.

What do you think?
 
Ben Souther
Sheriff
Posts: 13411
Firefox Browser VI Editor Redhat
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Originally posted by Thierry Collogne:
What do you think?



It sounds like a lot of work; probably a lot more than working a filter into the existing app.
Valves are also Tomcat specific so the solution won't be portable.

Other than those issues, it looks good on paper.
Give it a shot and let us know how it worked out for you.
Good-Luck
 
Well behaved women rarely make history - Eleanor Roosevelt. tiny ad:
a bit of art, as a gift, that will fit in a stocking
https://gardener-gift.com
reply
    Bookmark Topic Watch Topic
  • New Topic