Hi,
I'm fairly new to
Java and
servlets, etc., but I need to clarify a design issue using the MVC model with
JSP, Servlets and Beans.
The Objective
=============
I'm writing a user authentication system that allows a user to use a website without registering. Once registered (as one of 3 types of users), they are allowed more privileged access to certain areas.
My Current Solution
====================
I have an abstract User class and 4 other classes for each of the users that extend the User class. These are:
UnknownType1Type2Type3 Unknown is the un-authenticated user.
I've tried to implement this using 1 Controller servlet which accepts a POSTed form from a JSP page to authenticate the user. The servlet creates an instance of UserBean (a bean that deals with the creation of the appropriate user-type class), and is put into the current session.
Once logged in, the user is then redirected to a home page (by the servlet) that is relevant to the current user (eg Type2 will go to type2.jsp)
That works with no problems.
The Problem
===========
My problem is that a user who hasn't logged in can just type type2.jsp and access the page.
What I
want it to do is deny the user by redirecting them to their appropriate login page (say type2-login.jsp).
I have been using PHP professionally for a while, and this was overcome by simply bunging an 'isLoggedIn and user==type2' check in code within the PHP page, but I want to ensure code and design separation, so I assume that a check in JSP is a no-no, the most logical place seems to be the Servlet that's acting as a Traffic Cop as someone put it.
But I can't see how this would work because the page can't tell the Servlet to 'kindly, check the user has logged in and is sufficiently privileged, and if not redirect him to an appropriate login page'. Or can it?
Apologies for the long post, but I'm not able to proceed unless I can get a handle on the correct way to do it.
Thanks in advance,
...Andrew
[ March 26, 2002: Message edited by: Andrew Kenny ]