File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
http://aspose.com/file-tools
The moose likes Servlets and the fly likes Confused - MVC, JSP, Servlet interaction Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Java » Servlets
Bookmark "Confused - MVC, JSP, Servlet interaction" Watch "Confused - MVC, JSP, Servlet interaction" New topic
Author

Confused - MVC, JSP, Servlet interaction

Darren Wheatley
Greenhorn

Joined: Nov 27, 2003
Posts: 11
Hi,
I have a good handle on the basic principles of MVC (JSP = View; Servlet = Controller; Bean = Model) but I'm confused about a number of issues:
1. Links in JSP. Should all of them go through the controller servlet, even if they are just links from one JSP to another with no change in business logic / model?
2. When a user goes to a secure page I need to enforce a logon if they are not already logged on. At the moment I have some code in a JSP that checks to see if a session variable is set, and if it isn't it does a redirect:
=====
sLoggedIn = (String) session.getAttribute("LoggedIn");
if (sLoggedIn == null)
{
RequestDispatcher dispatcher = request.getRequestDispatcher("Main? action=login");
dispatcher.forward(request, response);
}
=====
FYI, my controller servlet is called "Main".
In the controller servlet I check for action equals "login" and then redirect to login.jsp on a match.
Is this a good approach?
How should I pass data between the code that checks to see if the user is logged in, the controller servlet and the login.jsp page? I'd like the user to be returned to the secure page that they tried to access when they were forced to login. For example:
1. User tries to access "buy.jsp"
2. User is not logged in so they are redirected (through the controller servlet) to login.jsp
3. They enter their username and password and the form is submitted to the controller servlet.
4. The controler servlet validates the user against a database.
5. If the login fails the user if redirected to login.jsp and gets an error messages. Jump to step 3.
6. If the login is successful then a session variable is set to show that they are logged in, and then they are redirected to buy.jsp
Any help you can give me would be fantastic. I'm tearing me hair out trying to do this development the "right" way.
Thanks
Darren.
Faisal Khan
Ranch Hand

Joined: Jun 29, 2003
Posts: 285
I am no expert but here is my input (more than welome to be corrected on any thing)...

1. Links in JSP. Should all of them go through the controller servlet, even if they are just links from one JSP to another with no change in business logic / model?

Though there is no hard and fast rule to say that *ALL* things must go through the controller for example a form split over number of pages but inevitably you do not want pages to be dependent upon one another for ease of maintenance, the flow of app should ideally be controlled centrally.
My take on no. 2 - I would personally put the logic inside the controller to check if a buy.jsp is to be served. The person only allowed to access a particular page after validation is inevitably a business decision.
The controller should check for the existence of a session, if present use the application context to check where the request came from and send them back, else ask for user name and password and subsequently the controller delegates the task of logging into a bean.
HTH
- FK -


The secret to creativity is knowing how to hide your sources.
Mike Curwen
Ranch Hand

Joined: Feb 20, 2001
Posts: 3695

The person only allowed to access a particular page after validation is inevitably a business decision.

I think that after Authentication (validation), whether a person is allowed access to a particular page or not is a question of Authorization

Whether someone is authorized to view a page or not can be thought of as a business rule, but I tend to think of it more as a configuration. And luckily for us, Servlet containers have both Authentication and Authorization (A+A) capabilities.

These two Tomcat documents, even though they're Tomcat specific, provide a good introduction on an implementation of the servlet spec's A+A features.
http://jakarta.apache.org/tomcat/tomcat-4.1-doc/realm-howto.html
http://jakarta.apache.org/tomcat/tomcat-4.1-doc/config/realm.html

Also, check out the Servlet Spec
Servlet 2.3 Spec

Servlet 2.4 Spec
Faisal Khan
Ranch Hand

Joined: Jun 29, 2003
Posts: 285
Mike,
Thanks for correcting me, it was actually the wrong language I used which caused the confusion. What I intended to say was: deciding which pages can only be accessed by validated users is a business decision - at least that is what I was thinking. Would that be correct?
Mike Curwen
Ranch Hand

Joined: Feb 20, 2001
Posts: 3695

Hi Faisal,

I don't think you're wrong, and to argue over 'authorization' or 'business decision' is probably splitting hairs. At some point, some person or process decides who is 'authorized' to perform certain functions, or view certain pages, or parts of pages.

That decision process is called 'authorization', and of course, it's driven by someone, somewhere, making a business decision (at deploy time perhaps, or in a more dynamic system, as a runtime configurable setting)
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: Confused - MVC, JSP, Servlet interaction