This week's book giveaway is in the OO, Patterns, UML and Refactoring forum. We're giving away four copies of Refactoring for Software Design Smells: Managing Technical Debt and have Girish Suryanarayana, Ganesh Samarthyam & Tushar Sharma on-line! See this thread for details.
Hope you might have understood my question from the title itself.
To be more precise, I have an application in which 5-10 jsp pages are there. Entry point of application is login.jsp .
When login.jsp is submitted, it goes to a servlet and from the servlet to an authentication method inside a bean. It performs the required checking and transfers the user to the next page(default.jsp), if he is a valid user.
Now, if a person access the default.jsp page straightaway, he can access it.
My question is, how can I restrict the users from accessing the other jsp pages straightaway without authentication? What is the most common and effectife method used for it. Do I need to set some values to session once i perform authentication check for login.jsp and use it for other jsp's or are there any other better methods?
If I am unclear somewhere in my question, kindly say, so that I will explain it.
Below given is a suggestion which I got from one of my friends who work in j2ee. Kindly say whether this is a good approach.
you can save the logged in user_id in the session when logged in by request.getSession().setAttribute("user_id",user_id) then check on this user_id on every init servlet you have or in the jsp or make BasicServlet for you and let all your servlets extends from it and put this check in it and if the request.getSession(false).getAttribute("user_id") == null then throw exception
Saving the userID in the session is a good start. You could combine that with a servlet filter that gets applied to all JSPs. Instead of it throwing an exception, it could just redirect to the login page.
Joined: Feb 19, 2008
I use request.getSession(false).getAttribute("user_id") == null to check whether the user is in session.
I have written a filter. I presume that, I should use the above checking in the public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) method of the filter class.
If it is so, ServletRequest request does not have the method getAttribute .
What is the solution for this? Or is it in some other way that I should perform this session checking in the filter?