All geek questions in one place

Overriding the JSP servlet (filter "* .jsp") to migrate to the authentication model

Can the JSP servlet that filters on * .jsp (org.apache.jasper.servlet.JspServlet in Tomcat 6) somehow expand, so whenever someone goes to the JSP page, I can do some checking server-side authentication to verify the user can view the page. Our current method is a taglib in general include, which is imported to every JSP page, but it is not very elegant.

The key point here is that I don’t want to reinvent the wheel and worry about compiling JSPs into servlets, I would ideally like to delegate in each method using super.meth ().

I searched Google but don’t know how to use keywords correctly. Everything that contains JSP and Servlet returns lessons of beginners.

Thanks,

John

+1
source share
4 answers

Take a look at Servlet Filters and use this filter before forwarding to any JSP or servlet.

+3
source

If you do not use the Java EE support provided by the container, then it is common practice to keep the registered User login in the session area and use Filter on the desired url-pattern to check if User registered.

Here is a basic example to get an image:

Login:

 User user = userDAO.find(username, password); if (user != null) { session.setAttribute("user", user); } else { // Do your thing to show "Unknown login" error. }

Filter (which is displayed on the url-sample, for example, /secured/* , /protected/* , etc., where you put pages with restricted JSPs on the login page):

 User user = session.getAttribute("user"); if (user != null) { chain.doFilter(request, response); // Logged in, so continue with request. } else { response.sendRedirect("login"); // Not logged in, redirect to login page. }

Exit:

 session.removeAttribute("user"); // Or, a bit too drastically: session.invalidate();

Of course, you can also take advantage of what Java EE out of the box provides with regard to security. A commonly used method is container-based declarative management, in which you can specify users and roles. You just need to declare <security-constraint> and <login-config> in web.xml and configure the user area on the application server. The details depend on the application server used, but if it is, for example, Tomcat 6.0, you can find some documentation about it here.

+3
source

If basic auth is not enough, Spring Security may be better. This is natural, especially if you are already using Spring. One big advantage is that it is declarative, so you can easily protect URLs by simply adding them to your security configuration.

Doing this through inheritance will be fragile and will require a code change every time you change your security. Better to have security as a cross-cutting issue.

+2
source

Can't you create another filter and put it over the JspServlet? This filter will check your security materials and do some processing (for example, redirecting to the login page) if something is wrong.

+1
source

Source: https://habr.com/ru/post/1314095/

More articles:


All Articles