You are using FORM based authentication. You have areas secured specifically for different user roles. When a user visits the site, they should be asked to log in, and then sent to the specific area for their role.
Should be possible, but may depend on your server since I've had slightly different behaviour depending on the vendor.
Create a /login.jsp and /loginError.jsp as usual for authentication. Map the welcome to /secure/weclome.jsp In web.xml, make the /secure/* directory secured, but for any role (ie *) Create a /user directory/ /admin directory and /dave directory. These are your threee roles. In web.xml list the three security roles, and map the directory to the specific role.
Now when a user hits your site, they automatically get sent to /secure/welcome.jsp and are forced to log in. As long as they login with one of the roles listed in your web.xml they will 'see' the welcome.jsp In welcom.jsp, just have something like this:
A couple of points: * I would difinitely use response.sendRedirect in this instance * the ordering is important since usres can be in several roles, they may not map to just one.
Was this what you were asking?
Joined: Sep 30, 2004
Perfect! This is very helpful.
The only part I am not sure about is:
Map the welcome to /secure/weclome.jsp
How do you configure this? Is it with a <welcome-file> tag in the web.xml of the project?
I have an application that is secure. When you log in it takes you to secure/main.jsp. I can't find out where I configured that. I have searched for the text <welcome-file> and for main.jsp in my project folder and the Tomcat conf folder. Nothing. I can't find out how I am doing it.
Do you have a welcome-file section at all? The default is usually index.html, and you may have a HTTP redirect from there to /secure/main.jsp rather than adding the second file directly to the welcome-file section. Just a thought.
Joined: Sep 30, 2004
I don't have a welcome file section. Also, the application had been sitting for a few days without use. Today when I tried to use it I got a Context Not Defined error (had to restart Tomcat to fix it). I have already opened a thread on the Tomcat board for this. But what this suggests to me is the project is not configured properly.
Concerning the secure login issue for my new application, I have it all working perfectly.
But doctorOptions.jsp needs to contain some specific data based on which doctor just accessed the system ( list of patients, etc).
What I need to do now is look up some information from the DB on the doctor (based on the user name he/she logged in with) and pass that information to the doctorOptions.jsp page.
Basically, once a user with the role of doctor logs in I need the system to look up the data and put it in an attribute (I am assuming this is the best way to do this) so doctorOptions.jsp has access to this when it loads up.
Should I make my welcome page a servlet? Can I do this? Maybe the trafficrouter could take the user log in name (hopefully I have access to this) and forward it to a servlet?
It is usually best to design things as Model-View-Controller (MVC).
You should search this forum for more information, but a short description is: The JSP is the view only and places data on the screen. The Model is the data on the page. The Controller is a Servlet, often created as a 'Front Controller', but it loads the data and decides which view to display andd calls it.
Based on this, you should (could) have a DoctorOptions Servlet, and you redirect to this instead. It loads the data and forwards to the doctorOptions.jsp
Joined: Sep 30, 2004
I like the servlet idea. I think it is better to keep JSP pages pretty "dumb" logic wise, keep the complex stuff in Java class where it belongs.
If I went this route:
1. Can I redirect to a servlet from TrafficRouter.jsp? 2. When this redirect happens I need to pass in something the system can use to find out the right doctor information. Is it possible to pass the servlet the name the user logged in as?
Here is what I was thinking of doing:
Does that look reasonable? Will the path work for the redirect? Something looks weird on the setting of the login name. I don't think I am doing this right.
Nope, looks dangerous. If I access it and provide another doctor's name I may be able to fool the system into thinking I was them.
But all is not lost! Just redirect to the Servlet. You can still use the same method calls in the Servlet to test the user role and if you look closely at the request API you can also get the logged in user's name. Difficult to fool that!