*
The moose likes Servlets and the fly likes user session questions Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Android Security Essentials Live Lessons this week in the Android forum!
JavaRanch » Java Forums » Java » Servlets
Bookmark "user session questions" Watch "user session questions" New topic
Author

user session questions

John Schretz
Ranch Hand

Joined: Sep 10, 2008
Posts: 188
I am creating the sdmin portion of my site. When the user logs in i set the user object to the session. In my servlet that i use for my admin part of the site i always first check to see if the user is null.

If the user is null i redirect back to the login page.

1. Do i need to set the user in the session only once or do i have to do

session.getAttribute("user")

Check for null

then session.setAttrubite("user") in every single servlet that is in the admin portion of my app?

2. Should i also be checking to see if the user is null on all the jsp pages or just in the servlets?

3. does every page have to be no-cached?

i am getting weir instances where i am navigating through and i get thrown back to the login page without logging out.
Bear Bibeault
Author and ninkuma
Marshal

Joined: Jan 10, 2002
Posts: 60817
    
  65

1. Only once.

2. Neither. This is best performed in a filter.

3. Only pages you don't want cached (e.g anything with active data).


[Asking smart questions] [Bear's FrontMan] [About Bear] [Books by Bear]
John Schretz
Ranch Hand

Joined: Sep 10, 2008
Posts: 188
thanks

i saw some info about the filters, but not any good examples. Do you have any links or short examples you could point me to on the best way to achieve that?
Bear Bibeault
Author and ninkuma
Marshal

Joined: Jan 10, 2002
Posts: 60817
    
  65

Google "servlet filter" lotsa good info out there!
John Schretz
Ranch Hand

Joined: Sep 10, 2008
Posts: 188
ok read some usefull stuff,
a few more questions

1. Do you have to use form base authentication like j_security_check or can i use my database?

2. SHould all the jsp pages be in a seprate folder when using the filter
e.g admin folder?

thanks again
Bear Bibeault
Author and ninkuma
Marshal

Joined: Jan 10, 2002
Posts: 60817
    
  65

1. No. I never do. I roll my own authentication for maximum flexibility.

2. I never directly address a JSP. I always use a servlet page controller (Model 2). So filters only get applied to servlet URL mappings, never JSPs.
John Schretz
Ranch Hand

Joined: Sep 10, 2008
Posts: 188
ok the sample code i was looking at used a folder called secure and all the jsp file were in that folder, that you needed a login to get to. if i do it using servlets do i need to do filter mapping to each and every servlet for that area of the application the user needed a login for?
Bear Bibeault
Author and ninkuma
Marshal

Joined: Jan 10, 2002
Posts: 60817
    
  65

Usually, individual servlets are not mapped in the web.xml. Rather, a Front Controller pattern is used. See this article for more info on that.

In such a case, it's easy to construct URLs that adhere to any pattern you'd like. Certain patterns can be checked, and others can be ignored when checking for login credentials.
John Schretz
Ranch Hand

Joined: Sep 10, 2008
Posts: 188
yes i have read that article. i havent firmly grasped the front control pattern yet. so in my case is it possible to just map the servlets in the web.xml
Bear Bibeault
Author and ninkuma
Marshal

Joined: Jan 10, 2002
Posts: 60817
    
  65

Sure it is. It just gets unwieldily once a web app starts defining even a moderate number of servlets.

For a really simple implementation of a Front Controller, you might want to check out my Front Man project (see below).
John Schretz
Ranch Hand

Joined: Sep 10, 2008
Posts: 188
ok cool i will check that out. thanks again
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: user session questions
 
Similar Threads
filter for authentication
returning a resultset
Netscape servlet woes
about a project
Session question