• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Ron McLeod
  • Paul Clapham
  • Tim Cooke
  • Devaka Cooray
Sheriffs:
  • Liutauras Vilda
  • paul wheaton
  • Rob Spoor
Saloon Keepers:
  • Tim Moores
  • Stephan van Hulst
  • Tim Holloway
  • Piet Souris
  • Mikalai Zaikin
Bartenders:
  • Carey Brown
  • Roland Mueller

MVC, JSP/Servlet/Bean Design Issue

 
Greenhorn
Posts: 3
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi,
I'm fairly new to Java and servlets, etc., but I need to clarify a design issue using the MVC model with JSP, Servlets and Beans.
The Objective
=============
I'm writing a user authentication system that allows a user to use a website without registering. Once registered (as one of 3 types of users), they are allowed more privileged access to certain areas.
My Current Solution
====================
I have an abstract User class and 4 other classes for each of the users that extend the User class. These are:
  • Unknown
  • Type1
  • Type2
  • Type3


  • Unknown is the un-authenticated user.
    I've tried to implement this using 1 Controller servlet which accepts a POSTed form from a JSP page to authenticate the user. The servlet creates an instance of UserBean (a bean that deals with the creation of the appropriate user-type class), and is put into the current session.
    Once logged in, the user is then redirected to a home page (by the servlet) that is relevant to the current user (eg Type2 will go to type2.jsp)
    That works with no problems.
    The Problem
    ===========
    My problem is that a user who hasn't logged in can just type type2.jsp and access the page.
    What I want it to do is deny the user by redirecting them to their appropriate login page (say type2-login.jsp).
    I have been using PHP professionally for a while, and this was overcome by simply bunging an 'isLoggedIn and user==type2' check in code within the PHP page, but I want to ensure code and design separation, so I assume that a check in JSP is a no-no, the most logical place seems to be the Servlet that's acting as a Traffic Cop as someone put it.
    But I can't see how this would work because the page can't tell the Servlet to 'kindly, check the user has logged in and is sufficiently privileged, and if not redirect him to an appropriate login page'. Or can it?
    Apologies for the long post, but I'm not able to proceed unless I can get a handle on the correct way to do it.
    Thanks in advance,
    ...Andrew
    [ March 26, 2002: Message edited by: Andrew Kenny ]
     
    Ranch Hand
    Posts: 2166
    • Mark post as helpful
    • send pies
      Number of slices to send:
      Optional 'thank-you' note:
    • Quote
    • Report post to moderator
    The "core j2ee Patterns"-book proposes a simple, pragmatic solution to your problem.
    Just put the jsps, which only should be accessed via MVC-forwarding from Controller, in the WEB-INF directory. You may create an extra folder (I use WEB-INF/jsp/.
    All files under the WEB-INF can't be accessed directly.
    I havent tried, but I think a 404 Error is returned (correct me if I am wrong, to late for testing), when users are trying to access those pages directly. You can then redirect all 404 errors to the login page via deployment descriptor.
    regards
    Axel
    Axel
    [ March 26, 2002: Message edited by: Axel Janssen ]
     
    Andrew Kenny
    Greenhorn
    Posts: 3
    • Mark post as helpful
    • send pies
      Number of slices to send:
      Optional 'thank-you' note:
    • Quote
    • Report post to moderator
    Axel,
    thanks for the reply, but the solution you suggest wouldn't be acceptable. It needs to redirect the user, rather than display an error page.
    Also, it's more of a design solution I'm after, as I know I'll encounter similar situations as I continue writing the application.
    I'll make a note of the idea though, as I'm sure it'll come in handy
    Thanks,
    ...Andrew
     
    Greenhorn
    Posts: 26
    • Mark post as helpful
    • send pies
      Number of slices to send:
      Optional 'thank-you' note:
    • Quote
    • Report post to moderator
    You can create a custom JSP Tag library which verifies if the user is allowed access to the jsp page. The Tag code will check the User Object type and see if the current page is accesible by the user. Such mappings can exist in a properties file. If you do not with to use property files then pass as parameters to the tag all user object types that should be allowed access to that page. The tag body when executed will redirect the user to an "Access Denied" page if the user is not allowed access to the page.
    Your tag body can be some like this.
    <security:accesscontrol />
    Here your tag code will have to refer a properties file to check if the current User object in the session has access to this page.
    <security:accesscontrol users="com.something.Type1 com.something.Type2" />
    In this case your Tag code will simply validate if the current User Object is of one of the types specified.
    Hope this helps
    Parag
     
    Andrew Kenny
    Greenhorn
    Posts: 3
    • Mark post as helpful
    • send pies
      Number of slices to send:
      Optional 'thank-you' note:
    • Quote
    • Report post to moderator
    It's a decent solution, but not really what I'm after.
    There must be a standard way of doing this sort of thing, whether it's for authentication, or some other task.
    Basically, I want to hide away the logic for the authentication in a class or a servlet so the JSP pages contain the least amount of code (or none).
    Thanks,
    ...Andrew
     
    Ranch Hand
    Posts: 130
    • Mark post as helpful
    • send pies
      Number of slices to send:
      Optional 'thank-you' note:
    • Quote
    • Report post to moderator

    Originally posted by Andrew Kenny:
    [QB]Hi,
    HI,
    whenever u r checking the users login.. that time, if the user is valid place that username in a Session.. and in each page check whether Session is null or not.. like..
    if(session.getValue(user)==null)
    {
    response.sendRedirect("index.html");
    }
    Thanks and regards,
    Pranit..

     
    Parag Shah
    Greenhorn
    Posts: 26
    • Mark post as helpful
    • send pies
      Number of slices to send:
      Optional 'thank-you' note:
    • Quote
    • Report post to moderator
    Its possible to keep minimum code in the JSP. You must ensure that JSP pages are not refferenced directly, but are always forwarded or redirected to by a controller servlet The client GET/PUT request always goes to a controller servlet which will do the preliminary authentication/access control and pass on control to the JSP only if the criteria are met, if not the user is redirected to some error page ("access denied" maybe).
    There are some libraries/frameworks which take care of access control. Jakarta Turbine is one of them (http://jakarta.apache.org/turbine). You may also want to check out JAAS (Java Authentication and Access Control Standard) from sun. There are also some papers on the net for standard ways to implement security... but I cant seem to remember where I saw them.
    Parag
     
    Ranch Hand
    Posts: 48
    • Mark post as helpful
    • send pies
      Number of slices to send:
      Optional 'thank-you' note:
    • Quote
    • Report post to moderator
    Maybe you could use J2EE security to do as you wish. For example, put the pages associated to each type of user into a dedicated directory for that type. For example,
    /unknown
    /type1
    ...
    /type3
    Then put security constraints on each directory.
    Please something like this in your web.xml
    <security-constraint>
    <web-resource-collection>
    <web-resource-name>type-1</web-resource-name>
    <url-pattern>/type1/*.jsp</url-pattern>
    <description>Type 1 users</description>
    </web-resource-collection>
    <auth-constraint>
    <role-name>USER_TYPE1</role-name>
    </auth-constraint>
    </security-constraint>
    You would have a role for each user type. The roles and users are implemented using J2EE security. How this is actually achieved depends on which JSP container you're using.
    When a user is registered, they are assigned to a role. Their role determines which directory they have access to. The container manages this for you. If you want to programmatically check, you can use the isUserInRole() method in the HttpServletRequest class to determine if a user is in a particualr role.
    Hope this helps ...
     
    All that thinking. Doesn't it hurt? What do you think about this tiny ad?
    We need your help - Coderanch server fundraiser
    https://coderanch.com/wiki/782867/Coderanch-server-fundraiser
    reply
      Bookmark Topic Watch Topic
    • New Topic