jQuery in Action, 2nd edition*
The moose likes Servlets and the fly likes Secure Log In Question Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Java » Servlets
Bookmark "Secure Log In Question" Watch "Secure Log In Question" New topic
Author

Secure Log In Question

Luke Shannon
Ranch Hand

Joined: Sep 30, 2004
Posts: 239
Hi;

I created my first secure application a while back. I am just creating a new one now and looking over the working set up to remember how I did it.

What I can't figure out is this.

In my working application, if you successfully log in you are taken to main.jsp. I thought I had configured this using <welcome-file> in web.xml, but its not there?

How does it know to go there if the user authenticates?

What I would like to do is have the user log in, and than based on their role send them off to different pages. Can the request be sent to a servlet following authentication?

Thanks,

Luke

ps: I hope this is the correct forum to put this.


Luke
SCJP
David O'Meara
Rancher

Joined: Mar 06, 2001
Posts: 13459

Lets me recap and see if I understand correctly.

You are using FORM based authentication.
You have areas secured specifically for different user roles.
When a user visits the site, they should be asked to log in, and then sent to the specific area for their role.

Should be possible, but may depend on your server since I've had slightly different behaviour depending on the vendor.

Create a /login.jsp and /loginError.jsp as usual for authentication.
Map the welcome to /secure/weclome.jsp
In web.xml, make the /secure/* directory secured, but for any role (ie *)
Create a /user directory/ /admin directory and /dave directory. These are your threee roles.
In web.xml list the three security roles, and map the directory to the specific role.

Now when a user hits your site, they automatically get sent to /secure/welcome.jsp and are forced to log in. As long as they login with one of the roles listed in your web.xml they will 'see' the welcome.jsp
In welcom.jsp, just have something like this:



A couple of points:
* I would difinitely use response.sendRedirect in this instance
* the ordering is important since usres can be in several roles, they may not map to just one.

Was this what you were asking?
Luke Shannon
Ranch Hand

Joined: Sep 30, 2004
Posts: 239
Perfect! This is very helpful.

The only part I am not sure about is:

Map the welcome to /secure/weclome.jsp


How do you configure this? Is it with a <welcome-file> tag in the web.xml of the project?

I have an application that is secure. When you log in it takes you to secure/main.jsp. I can't find out where I configured that. I have searched for the text <welcome-file> and for main.jsp in my project folder and the Tomcat conf folder. Nothing. I can't find out how I am doing it.

Thanks,

Luke
David O'Meara
Rancher

Joined: Mar 06, 2001
Posts: 13459

Do you have a welcome-file section at all? The default is usually index.html, and you may have a HTTP redirect from there to /secure/main.jsp rather than adding the second file directly to the welcome-file section. Just a thought.
Luke Shannon
Ranch Hand

Joined: Sep 30, 2004
Posts: 239
I don't have a welcome file section. Also, the application had been sitting for a few days without use. Today when I tried to use it I got a Context Not Defined error (had to restart Tomcat to fix it). I have already opened a thread on the Tomcat board for this. But what this suggests to me is the project is not configured properly.

Concerning the secure login issue for my new application, I have it all working perfectly.

Thanks for you help and code samples David.

Luke
David O'Meara
Rancher

Joined: Mar 06, 2001
Posts: 13459

No sweat, I hope it all works the way you want.
Luke Shannon
Ranch Hand

Joined: Sep 30, 2004
Posts: 239
Things are working nice, but now I need more :-)

In my trafficrouter.jsp I have:



But doctorOptions.jsp needs to contain some specific data based on which doctor just accessed the system ( list of patients, etc).

What I need to do now is look up some information from the DB on the doctor (based on the user name he/she logged in with) and pass that information to the doctorOptions.jsp page.

Basically, once a user with the role of doctor logs in I need the system to look up the data and put it in an attribute (I am assuming this is the best way to do this) so doctorOptions.jsp has access to this when it loads up.

Should I make my welcome page a servlet? Can I do this? Maybe the trafficrouter could take the user log in name (hopefully I have access to this) and forward it to a servlet?

Any suggestions on the best way to do this?

Thanks,

Luke
David O'Meara
Rancher

Joined: Mar 06, 2001
Posts: 13459

It is usually best to design things as Model-View-Controller (MVC).

You should search this forum for more information, but a short description is:
The JSP is the view only and places data on the screen.
The Model is the data on the page.
The Controller is a Servlet, often created as a 'Front Controller', but it loads the data and decides which view to display andd calls it.

Based on this, you should (could) have a DoctorOptions Servlet, and you redirect to this instead. It loads the data and forwards to the doctorOptions.jsp
Luke Shannon
Ranch Hand

Joined: Sep 30, 2004
Posts: 239
I like the servlet idea. I think it is better to keep JSP pages pretty "dumb" logic wise, keep the complex stuff in Java class where it belongs.

If I went this route:

1. Can I redirect to a servlet from TrafficRouter.jsp?
2. When this redirect happens I need to pass in something the system can use to find out the right doctor information. Is it possible to pass the servlet the name the user logged in as?

Here is what I was thinking of doing:



Does that look reasonable? Will the path work for the redirect? Something looks weird on the setting of the login name. I don't think I am doing this right.

Thanks,

Luke
David O'Meara
Rancher

Joined: Mar 06, 2001
Posts: 13459

Nope, looks dangerous. If I access it and provide another doctor's name I may be able to fool the system into thinking I was them.

But all is not lost! Just redirect to the Servlet. You can still use the same method calls in the Servlet to test the user role and if you look closely at the request API you can also get the logged in user's name. Difficult to fool that!
Luke Shannon
Ranch Hand

Joined: Sep 30, 2004
Posts: 239
Works brilliantly! Thanks again.

Luke
David O'Meara
Rancher

Joined: Mar 06, 2001
Posts: 13459

No problem. I suggest starting a new thread for future requests and referring back to this one if required. It makes it easier for others to join in and improves your chances of getting help!

All the best,
Dave.
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: Secure Log In Question
 
Similar Threads
Internet Explorer expires session when sent from secure to non secure page
cookies scoped to web-application within a domain
Namespace issues
ssl and non-secure items
NX: concerning logging