| Author |
user session questions
|
John Schretz
Ranch Hand
Joined: Sep 10, 2008
Posts: 171
|
|
I am creating the sdmin portion of my site. When the user logs in i set the user object to the session. In my servlet that i use for my admin part of the site i always first check to see if the user is null.
If the user is null i redirect back to the login page.
1. Do i need to set the user in the session only once or do i have to do
session.getAttribute("user")
Check for null
then session.setAttrubite("user") in every single servlet that is in the admin portion of my app?
2. Should i also be checking to see if the user is null on all the jsp pages or just in the servlets?
3. does every page have to be no-cached?
i am getting weir instances where i am navigating through and i get thrown back to the login page without logging out.
|
 |
Bear Bibeault
Author and ninkuma
Marshal
Joined: Jan 10, 2002
Posts: 56153
|
|
1. Only once.
2. Neither. This is best performed in a filter.
3. Only pages you don't want cached (e.g anything with active data).
|
[Smart Questions] [JSP FAQ] [Books by Bear] [Bear's FrontMan] [About Bear]
|
|
John Schretz
Ranch Hand
Joined: Sep 10, 2008
Posts: 171
|
|
thanks
i saw some info about the filters, but not any good examples. Do you have any links or short examples you could point me to on the best way to achieve that?
|
|
Bear Bibeault
Author and ninkuma
Marshal
Joined: Jan 10, 2002
Posts: 56153
|
|
|
Google "servlet filter" lotsa good info out there!
|
|
John Schretz
Ranch Hand
Joined: Sep 10, 2008
Posts: 171
|
|
ok read some usefull stuff,
a few more questions
1. Do you have to use form base authentication like j_security_check or can i use my database?
2. SHould all the jsp pages be in a seprate folder when using the filter
e.g admin folder?
thanks again
|
|
Bear Bibeault
Author and ninkuma
Marshal
Joined: Jan 10, 2002
Posts: 56153
|
|
1. No. I never do. I roll my own authentication for maximum flexibility.
2. I never directly address a JSP. I always use a servlet page controller (Model 2). So filters only get applied to servlet URL mappings, never JSPs.
|
|
John Schretz
Ranch Hand
Joined: Sep 10, 2008
Posts: 171
|
|
|
ok the sample code i was looking at used a folder called secure and all the jsp file were in that folder, that you needed a login to get to. if i do it using servlets do i need to do filter mapping to each and every servlet for that area of the application the user needed a login for?
|
|
Bear Bibeault
Author and ninkuma
Marshal
Joined: Jan 10, 2002
Posts: 56153
|
|
Usually, individual servlets are not mapped in the web.xml. Rather, a Front Controller pattern is used. See this article for more info on that.
In such a case, it's easy to construct URLs that adhere to any pattern you'd like. Certain patterns can be checked, and others can be ignored when checking for login credentials.
|
|
John Schretz
Ranch Hand
Joined: Sep 10, 2008
Posts: 171
|
|
|
yes i have read that article. i havent firmly grasped the front control pattern yet. so in my case is it possible to just map the servlets in the web.xml
|
|
Bear Bibeault
Author and ninkuma
Marshal
Joined: Jan 10, 2002
Posts: 56153
|
|
Sure it is. It just gets unwieldily once a web app starts defining even a moderate number of servlets.
For a really simple implementation of a Front Controller, you might want to check out my Front Man project (see below).
|
|
John Schretz
Ranch Hand
Joined: Sep 10, 2008
Posts: 171
|
|
|
ok cool i will check that out. thanks again
|
|
 |
|
|
subject: user session questions
|
|
|
0
