I was wondering if someone might help me construct a custom tag handler class that either allows or denies access to a given JSP page? I'll start by showing the code I want to replace in all my JSP pages:
What this code is doing is extracting from the session object the companyID and administratorID. Both of these were placed into the session object when the user logged into the system. As we know, when a session times out, these IDs no longer exist, thus I test for null. If either value is null, then I create HTML markup that instructs the user to login again.
So, what would be better is a custom tag that I can call just once, like so:
Rather than dropping a bunch of goo in each page (or even a small amount of goo), this sort of thing is much better handled by a servlet filter. You can make the check and if it passes, let the request processd as normal, if not, forward or redirect to the "access denied" page.
I wouldn't necessarily say that they are "similar" to servlets as that implies that they are used in place of servlets. Rather, they are used to filter a request going into a servlet (or JSP) -- not replacing a servlet.
P.S. You should get yourself a copy of the Servlet Specification and read it cover to cover. It's an easy read and will clue you in on the mechanisms (like Filters) that are available to you as a web app author.
Now, when I launch the browser and try to go to http://localhost:8080/scholastic/Login.jsp AccessFilter kicks in and since there is no User object in the session object yet, authorized will remain false. The logic continues to the line:
But in the end I wind up with a Page Not Found 404 error. I tried changing the <param-value>/scholastic/Login.jsp</param-value> to just <param-value>/Login.jsp</param-value> but this resulted in an endless loop condition with the Tomcat container. "/scholastic/Login.jsp" is the correct relative URL. So I'm stuck at this point.
[ July 25, 2006: Message edited by: Alan Shiers ]
[ July 25, 2006: Message edited by: Alan Shiers ] [ July 25, 2006: Message edited by: Bear Bibeault ]
I don't have time to look at yur code in detail, but be sure that you exempt the login page (any associated pages that do not require authentication) from the authentication check or you'll end up in an infinite loop trying to get to the login page, but being unable to without authentication.