File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
The moose likes Servlets and the fly likes redirection on login Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Java » Servlets
Bookmark "redirection on login" Watch "redirection on login" New topic

redirection on login

Jay Brass
Ranch Hand

Joined: Oct 24, 2000
Posts: 76
Hey all,

I need some help figgerin' this out. On my site, I have a page with links to other pages within the site. Before those links take you to the pages they point to, I want ya'll to log in first. Then after you've logged in, you will go to the page. I can handle the login page and checking a session object to see if login is true or not, but what I can't seem to figger out is how do I know which page ya'll clicked on. If you click on link A and login is false, I can force you to login in and do response.sendRedirect("linkA") but what if you click on link C? response.sendRedirect("linkA") isn't right anymore. How do I figger this out?
David O'Meara

Joined: Mar 06, 2001
Posts: 13459

Use Form based authentication. It manages this for you.
Gregg Bolinger
GenRocket Founder
Ranch Hand

Joined: Jul 11, 2001
Posts: 15302

While using Form Based Authentication is a quick and easy solution, I don't always find it the best solution. Specifically, I try and make most of my webapps run in any container (Tomcat, Resin, etc). And most vendors Form Based Authentication mechanisms differe slightly. Usually just in how it is configured.

For what you want to do, the process goes like this...

User clicks link that requires login
requested page is stored in the session
user redirected to login page
upon successful authentication, user redirected to page from session

I usually use a ServletFilter to process such things. I typically call it a SecurityFilter and it handles who gets to where in my application.

GenRocket - Experts at Building Test Data
Jay Brass
Ranch Hand

Joined: Oct 24, 2000
Posts: 76
User clicks link that requires login
requested page is stored in the session
user redirected to login page
upon successful authentication, user redirected to page from session

That's kinda how I had it thought out. I guess my brain is having trouble with the page stored in session and getting it out of session bit. If it is a link and you click on it, how do you store that and send the user somewhere else? For some reason I just don't get that part.
Does each page need to have a check for login and if false redirect to login page and then return or does the main page immediately go to the login page (no matter what link was clicked on) and check for login and if successful or true redirect to linked page?
It can't be this difficult, my gray matter is just sleeping today.
Bear Bibeault
Author and ninkuma

Joined: Jan 10, 2002
Posts: 63852

Follow Gregg's advice on using a filter.

[Asking smart questions] [About Bear] [Books by Bear]
Tim Holloway
Saloon Keeper

Joined: Jun 25, 2001
Posts: 17410

Actually, if you want transparent access control, it's not the presentation part that's of concern, it's the authentication framework. In other words, what's really meant here is Container Based Authentication being used with an authentication Form as opposed to a Dialog or other request for credentials.

And, as far as this being server-dependent, container-based authentication is part of the J2EE standard as expressed in the schema (formerly DTD) for web.xml. I know of no modern server, be it simple (Tomcat, Jetty) or full (WebLogic, JBoss, WebSphere or JOnAS) where you would be obliged to make any mods to the deployable unit when you ported the app.

Different appservers have different ways (often multiple ways) to configure the container's authorization configuration, but that's an operational concern, not a software design consideration.

As a matter of fact, at the moment I'm in the process of converting our apps from container-based database security to container-based Active Directory security. The only changes that I've been forced to make to the apps are those where the original design used foreign keys on the application schema to refer to user definition tables now being replaced with LDAP entries. Which would be an issue whether we'd used container security, wrapper security (filters), or security coded internal to the apps.

I do make one qualification to this assertion. In Tomcat4, I discovered that it wasn't a good idea to include external references (CSS, graphics, etc) on the login forms themselves, since the diverter wasn't handling them properly. So my login pages are all self-contained.

An IDE is no substitute for an Intelligent Developer.
I agree. Here's the link:
subject: redirection on login
jQuery in Action, 3rd edition