Two Laptop Bag*
The moose likes Servlets and the fly likes Secure Login and .getRemoteUser Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of OCA/OCP Java SE 7 Programmer I & II Study Guide this week in the OCPJP forum!
JavaRanch » Java Forums » Java » Servlets
Bookmark "Secure Login and .getRemoteUser" Watch "Secure Login and .getRemoteUser" New topic
Author

Secure Login and .getRemoteUser

Adam Zedan
Ranch Hand

Joined: Jun 10, 2011
Posts: 124

hi I wanted to ask about user authentication.
Suppose that a user authenticates from page1.jsp and then goes to page 2
What i want is a simple method in which if the user types in the url of page 2 and if that user did not authenticate he is taken to page 1 automatically.

I believe i could accomplish this by setting a variable in the session attribute and the restricted page will always check for the presence of that variable. However I wanted to accomplish this using a listener class but i cant get request.getRemoteUser to work.

Questions:
How can i set a remoteuser so that when a user successfully logs in then .getRemoterUSer would not return null/
Furthermore in my listener class how can i get the address of the page that has been requested..


Don’t look where you fall, but where you slipped
Bear Bibeault
Author and ninkuma
Marshal

Joined: Jan 10, 2002
Posts: 61450
    
  67

How are you authenticating? getRemoteUser() is only applicable if you are using HTTP authentication. If you are rolling your own, you need to make your own facility.

[Asking smart questions] [Bear's FrontMan] [About Bear] [Books by Bear]
Adam Zedan
Ranch Hand

Joined: Jun 10, 2011
Posts: 124

Bear Bibeault wrote:How are you authenticating? getRemoteUser() is only applicable if you are using HTTP authentication. If you are rolling your own, you need to make your own facility.


Oh okay.. Then i guess that does not apply in my case since i have my own custom authentication method.
I also wanted to know is it possible to retrieve the address which the user or container wanted to go to ??

suppose i wnated to do something like this in my listener class
if (page = "mypage.jsp")
{-----}
if (page = "...")
{Do something else}

Is this possible ??
Bear Bibeault
Author and ninkuma
Marshal

Joined: Jan 10, 2002
Posts: 61450
    
  67

Listener? How is a listener useful in this scenario? For what event are you listening?

And, checking for specific page names is not scalable? Are you going to list every single page name in your application?
Adam Zedan
Ranch Hand

Joined: Jun 10, 2011
Posts: 124

Bear Bibeault wrote:Listener? How is a listener useful in this scenario? For what event are you listening?

And, checking for specific page names is not scalable? Are you going to list every single page name in your application?



Since i have 3 or 4 restricted pages I was planning to check that if a request was directed towards them then listener class would search for session Boolean variable if that value was false (that means the user did not log in) in that case the users request would be directed to another page... .. that is why i wanted to find out how we could get the name of the page the user actually wants to access ..
Bear Bibeault
Author and ninkuma
Marshal

Joined: Jan 10, 2002
Posts: 61450
    
  67

Think about it. What if your app contains hundreds of pages? Is your solution scalable? is it fragile? I'd try another approach that doesn't depend upon keeping a long list of names (that are subject to change).

And why are you addressing JSPs directly? I know you've read the article on proper use of controllers.
Pat Farrell
Rancher

Joined: Aug 11, 2007
Posts: 4659
    
    5

The usual approach is to have a filter servlet that checks that the user is logged in, and if not, dispatches them to the login screen.

Rather than having a long list of "login required" and "nologin" URLs/jsp/controllers, just use a subdirectory structure, put the public/no-login ones in a public directory, and the rest in a secure directory. The filter can trivially check the URL and you are done.
Adam Zedan
Ranch Hand

Joined: Jun 10, 2011
Posts: 124

Bear Bibeault wrote:Think about it. What if your app contains hundreds of pages? Is your solution scalable? is it fragile? I'd try another approach that doesn't depend upon keeping a long list of names (that are subject to change).

And why are you addressing JSPs directly? I know you've read the article on proper use of controllers.


@Pat Farell
Thanks for the suggestion Bear , I do realize that this approach isn't scalable , maintainable or even feasible . But The webapp that i am currently working on is just a practice app. Though Head First JSP and servlets did mention filters but they never covered it in detail (I guess you can never cover everything in one book). I really wanted to familiarize myself with filters and use them so I decided to implement them in this webapp.
However for authenticating I went ahead with Pat Farells approach (Thanks Pat!!) .
Oh yeah to get the url of the request there is a method in the request object called getRequestURI() wonder how i missed it.. thanks again for you help guys..
 
jQuery in Action, 2nd edition
 
subject: Secure Login and .getRemoteUser