File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
http://aspose.com/file-tools
The moose likes JSP and the fly likes How to implement authentication for each jsp page Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of OCA/OCP Java SE 7 Programmer I & II Study Guide this week in the OCPJP forum!
JavaRanch » Java Forums » Java » JSP
Bookmark "How to implement authentication for each jsp page" Watch "How to implement authentication for each jsp page" New topic
Author

How to implement authentication for each jsp page

anees ahamed
Ranch Hand

Joined: Feb 19, 2008
Posts: 31
Hi experts,

Hope you might have understood my question from the title itself.

To be more precise, I have an application in which 5-10 jsp pages are there. Entry point of application is login.jsp .

When login.jsp is submitted, it goes to a servlet and from the servlet to an authentication method inside a bean. It performs the required checking and transfers the user to the next page(default.jsp), if he is a valid user.

Now, if a person access the default.jsp page straightaway, he can access it.

My question is, how can I restrict the users from accessing the other jsp pages straightaway without authentication? What is the most common and effectife method used for it. Do I need to set some values to session once i perform authentication check for login.jsp and use it for other jsp's or are there any other better methods?

If I am unclear somewhere in my question, kindly say, so that I will explain it.

Please help with a solution.

Regards,
Anees
Shailesh Narkhede
Ranch Hand

Joined: Jul 10, 2008
Posts: 368
check following links ,
http://java.sun.com/j2ee/1.4/docs/tutorial/doc/Security5.html
http://www.informit.com/articles/article.aspx?p=24253&seqNum=5
http://www.onjava.com/pub/a/onjava/2002/06/12/form.html

these may help you.


Thanks,
Shailesh
Nishan Patel
Ranch Hand

Joined: Sep 07, 2008
Posts: 688


Hi,

I think you have to make one filter like login filter which check user session i means check user login or not....

using this you can give or apply this filter to every request...

So, before each request it calls filter and check for user authentication ............


Thanks, Nishan Patel
SCJP 1.5, SCWCD 1.5, OCPJWSD Java Developer,My Blog
anees ahamed
Ranch Hand

Joined: Feb 19, 2008
Posts: 31
Hi,
Below given is a suggestion which I got from one of my friends who work in j2ee. Kindly say whether this is a good approach.


you can save the logged in user_id in the session when logged in by request.getSession().setAttribute("user_id",user_id) then check on this user_id on every init servlet you have or in the jsp or make BasicServlet for you and let all your servlets extends from it and put this check in it and if the request.getSession(false).getAttribute("user_id") == null then throw exception
Nishan Patel
Ranch Hand

Joined: Sep 07, 2008
Posts: 688


Hi,

Yes you can do this in this way ... But in every jsp you have to put that session checking code and that code you can configure into Filter and apply that filter as per your requirement.....

Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 42371
    
  64
Saving the userID in the session is a good start. You could combine that with a servlet filter that gets applied to all JSPs. Instead of it throwing an exception, it could just redirect to the login page.


Ping & DNS - my free Android networking tools app
anees ahamed
Ranch Hand

Joined: Feb 19, 2008
Posts: 31
Hi,
I use request.getSession(false).getAttribute("user_id") == null to check whether the user is in session.

I have written a filter. I presume that, I should use the above checking in the public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) method of the filter class.


If it is so, ServletRequest request does not have the method getAttribute .

What is the solution for this? Or is it in some other way that I should perform this session checking in the filter?

Please help with soluion.

Regards,
Anees
Nishan Patel
Ranch Hand

Joined: Sep 07, 2008
Posts: 688


Hi,

you can cast your request object of ServletRequest by HttpServletRequest. like....



Now using httpReq object you can access property of HttpServletRequest ............



anees ahamed
Ranch Hand

Joined: Feb 19, 2008
Posts: 31
Nishan,
I did as per your suggestion.
But I get null pointer exception from

httpReq.getSession(false) in doFilter
 
wood burning stoves
 
subject: How to implement authentication for each jsp page