Hi everybody, I am Chaitanya, I am using sessions to restrict access to a page i the user has not signed in. Once signs in he can call the particular page.
Now I have two users, with different roles for each. One is the administrator, another is ordinary user. The administrator can create a new user by requesting new_user.jsp page.
The page looks some what like this
Once the admin or ordinary user logins, loginSucess session attribute will be holding the user ID. So who ever calls this page, they can create a new user.
The ordinary user should not be able to access this page.
So my idea is to create two different session attributes, adminSession for admin and userSession for user.
This time if the ordinary user sends a request for this page he cant access it.
Otherwise I am having another idea. In this case there will be a single session which stores the user ID and the new_user.jsp page is placed in WEB-INF older. Then the user request fors a servlet first. The servlet will decide whether the user has administrative privileges or not by connecting to the database. If the user has admin privileges the page is served otherwise no.
But in the second alternative, I don't know how to serve web pages from WEB-INF folder.
Is this the right way? Can I do like this? Or there is another method to do this?
If the only variable is whether the user is an admin or not, simply record that info along with whatever you are using in the session to store the info for the logged-in user. There's no need to over-complicate matters.