File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
http://aspose.com/file-tools
The moose likes Servlets and the fly likes HttpServletRequest equivalent on html page Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of OCA/OCP Java SE 7 Programmer I & II Study Guide this week in the OCPJP forum!
JavaRanch » Java Forums » Java » Servlets
Bookmark "HttpServletRequest equivalent on html page" Watch "HttpServletRequest equivalent on html page" New topic
Author

HttpServletRequest equivalent on html page

Kevin Kilbane
Ranch Hand

Joined: Sep 22, 2008
Posts: 42
Hi, this question isn't directly related to servlets so apologies if it is in the wrong forum but I thought this would be the best place to get an answer.

I'm working on an application running on Tomcat where the front-end is rendered through a mixture of java servlets and static html pages. Up to now, this application hasn't implemented any kind of session management which meant a user could bypass the login page and open any page in the application once he knew the correct url. I've now implemented session management in all the servlets which means a user will be forwarded to the login page if they try to access the servlet without having logged in.

I do this by creating a session on the web server in the login servlet using this code:



and I validate it by calling some common code at the beginning of each servlet that incluses this code:



That's fine for the servlets. My question is this - is there an equivalent I can do in the static html files - do I have any access to the session or the request in the html file? If not, is there something else I can do to stop a user opening these pages without having logged in first?

Thnaks in advance.
Kevin Kilbane
Ranch Hand

Joined: Sep 22, 2008
Posts: 42
sorry, my code tags don't seem to have worked!
ramprasad madathil
Ranch Hand

Joined: Jan 24, 2005
Posts: 489

I validate it by calling some common code at the beginning of each servlet that incluses this code:


I would recommend you do this common validation in a servlet filter. That is exactly what filters are for.

That would solve the other problem too that you have - protecting html pages. All you would have to do is to route all requests (except the one for the login servlet of course) via the filter. You would use filter mappings to achieve that. Example usage is there in the link posted above.

cheers,
ram.
Kevin Kilbane
Ranch Hand

Joined: Sep 22, 2008
Posts: 42
That sounds like what I'm looking for alright, thanks.

Although it would be good if I could apply the filter across the board by specifying <url-pattern>/*</url-pattern> in the filter mapping and then using another tag to exclude the login servlet from it but it doesn't look like I can do this. There is no exclude tag - is that right?
David O'Meara
Rancher

Joined: Mar 06, 2001
Posts: 13459

Kevin Kilbane wrote:sorry, my code tags don't seem to have worked!

Disable BB Code in this message had been checked. I'll look into it.
ramprasad madathil
Ranch Hand

Joined: Jan 24, 2005
Posts: 489

Although it would be good if I could apply the filter across the board by specifying <url-pattern>/*</url-pattern> in the filter mapping and then using another tag to exclude the login servlet from it but it doesn't look like I can do this. There is no exclude tag - is that right?


Not directly out of the box, but there's one way you could do that though it would mean some custom coding in your filter.
Map your filter to /* or *.* and then add an init parameter to your filter specifying something like an exclude pattern which can be the url of your LoginServlet.
In your filter, check if the incoming url (request.getRequestURI()) matches the url specified in the init param and if it does, just allow it thorugh. Else you apply your validation check.

Does that help?

ram.
Tim Holloway
Saloon Keeper

Joined: Jun 25, 2001
Posts: 16160
    
  21

Personally, I think that cobbling together Do-it-Yourself security systems is a bad idea, and your initial problem - and the contortions you're attempting to avoid it - are among the reasons why I do:

http://www.mousetech.com/blog/?p=11

However, if you must, just put code in the filter to detect the URL of the login servlet. If it's a match, you don't execute the security code, just pope straight through to the servlet.


Customer surveys are for companies who didn't pay proper attention to begin with.
Kevin Kilbane
Ranch Hand

Joined: Sep 22, 2008
Posts: 42
got that working (using the cobbled-together approach) - thanks for your help

here's what I did just in case anyone has a similar query:

Project's web.xml :



BlahSessionFilter.java :



 
Don't get me started about those stupid light bulbs.
 
subject: HttpServletRequest equivalent on html page