• Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

Secure Login and .getRemoteUser

 
Adam Zedan
Ranch Hand
Posts: 124
C++ Fedora Java
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
hi I wanted to ask about user authentication.
Suppose that a user authenticates from page1.jsp and then goes to page 2
What i want is a simple method in which if the user types in the url of page 2 and if that user did not authenticate he is taken to page 1 automatically.

I believe i could accomplish this by setting a variable in the session attribute and the restricted page will always check for the presence of that variable. However I wanted to accomplish this using a listener class but i cant get request.getRemoteUser to work.

Questions:
How can i set a remoteuser so that when a user successfully logs in then .getRemoterUSer would not return null/
Furthermore in my listener class how can i get the address of the page that has been requested..

 
Bear Bibeault
Author and ninkuma
Marshal
Pie
Posts: 64718
86
IntelliJ IDE Java jQuery Mac Mac OS X
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
How are you authenticating? getRemoteUser() is only applicable if you are using HTTP authentication. If you are rolling your own, you need to make your own facility.
 
Adam Zedan
Ranch Hand
Posts: 124
C++ Fedora Java
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Bear Bibeault wrote:How are you authenticating? getRemoteUser() is only applicable if you are using HTTP authentication. If you are rolling your own, you need to make your own facility.


Oh okay.. Then i guess that does not apply in my case since i have my own custom authentication method.
I also wanted to know is it possible to retrieve the address which the user or container wanted to go to ??

suppose i wnated to do something like this in my listener class
if (page = "mypage.jsp")
{-----}
if (page = "...")
{Do something else}

Is this possible ??
 
Bear Bibeault
Author and ninkuma
Marshal
Pie
Posts: 64718
86
IntelliJ IDE Java jQuery Mac Mac OS X
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Listener? How is a listener useful in this scenario? For what event are you listening?

And, checking for specific page names is not scalable? Are you going to list every single page name in your application?
 
Adam Zedan
Ranch Hand
Posts: 124
C++ Fedora Java
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Bear Bibeault wrote:Listener? How is a listener useful in this scenario? For what event are you listening?

And, checking for specific page names is not scalable? Are you going to list every single page name in your application?



Since i have 3 or 4 restricted pages I was planning to check that if a request was directed towards them then listener class would search for session Boolean variable if that value was false (that means the user did not log in) in that case the users request would be directed to another page... .. that is why i wanted to find out how we could get the name of the page the user actually wants to access ..
 
Bear Bibeault
Author and ninkuma
Marshal
Pie
Posts: 64718
86
IntelliJ IDE Java jQuery Mac Mac OS X
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Think about it. What if your app contains hundreds of pages? Is your solution scalable? is it fragile? I'd try another approach that doesn't depend upon keeping a long list of names (that are subject to change).

And why are you addressing JSPs directly? I know you've read the article on proper use of controllers.
 
Pat Farrell
Rancher
Posts: 4678
7
Linux Mac OS X VI Editor
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
The usual approach is to have a filter servlet that checks that the user is logged in, and if not, dispatches them to the login screen.

Rather than having a long list of "login required" and "nologin" URLs/jsp/controllers, just use a subdirectory structure, put the public/no-login ones in a public directory, and the rest in a secure directory. The filter can trivially check the URL and you are done.
 
Adam Zedan
Ranch Hand
Posts: 124
C++ Fedora Java
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Bear Bibeault wrote:Think about it. What if your app contains hundreds of pages? Is your solution scalable? is it fragile? I'd try another approach that doesn't depend upon keeping a long list of names (that are subject to change).

And why are you addressing JSPs directly? I know you've read the article on proper use of controllers.


@Pat Farell
Thanks for the suggestion Bear , I do realize that this approach isn't scalable , maintainable or even feasible . But The webapp that i am currently working on is just a practice app. Though Head First JSP and servlets did mention filters but they never covered it in detail (I guess you can never cover everything in one book). I really wanted to familiarize myself with filters and use them so I decided to implement them in this webapp.
However for authenticating I went ahead with Pat Farells approach (Thanks Pat!!) .
Oh yeah to get the url of the request there is a method in the request object called getRequestURI() wonder how i missed it.. thanks again for you help guys..
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic