How a JSP page should authenticate

Question

How a JSP page should authenticate

I am new to web programming. I ask the general scheme to do things like authentication. Here is the scenario:

The website has an entry page for visitors. He will receive the username and encrypted password and send them to the server, then either receive an error code (username / password does not match) or an authorization key from the server. When the user has logged in successfully, I want the site to automatically go to the main.jsp page, which presents the main functions of the website.

In this case, I want main.jsp to verify user authentication. That is, I do not want this thing to happen, since the user could directly open www.example.com/main.jsp , and if they did this, I want to redirect them to the login page.

So, how can I pass authentication information on the page and how can I prevent the user from directly accessing main.jsp without logging in? Do I need to use a session or something else?

+7

javascript authentication web-applications jsp login

Allan jiang Apr 12 '13 at 2:05

source share

4 answers

How a JSP page should authenticate

Do not do it. You should use Container Managed Authentication and define login / security in web.xml via URL patterns.

Added by Glen Best:

eg. Add something like web.xml:

 <security-constraint> <display-name>GET: Employees Only</display-name> <web-resource-collection> <web-resource-name>Restricted Get</web-resource-name> <url-pattern>/restricted/employee/*</url-pattern> <http-method>GET</http-method> </web-resource-collection> <auth-constraint> <role-name>Employee</role-name> </auth-constraint> <user-data-constraint> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint> </security-constraint>

+5

Ejp Apr 12 '13 at 3:36

source share

It also works for me.

 <filter> <filter-name>SessionCheckFilter</filter-name> <filter-class>yourjavapackage.SessionCheckFilter</filter-class> </filter> <filter-mapping> <filter-name>SessionCheckFilter</filter-name> <!--url-pattern>/app/*</url-pattern--> <url-pattern>/main.jsp</url-pattern> <!-- url from where you implement the filtering --> </filter-mapping> public class SessionCheckFilter implements Filter { private String contextPath; @Override public void init(FilterConfig fc) throws ServletException { contextPath = fc.getServletContext().getContextPath(); } @Override public void doFilter(ServletRequest request, ServletResponse response, FilterChain fc) throws IOException, ServletException { HttpServletRequest req = (HttpServletRequest) request; HttpServletResponse res = (HttpServletResponse) response; if (req.getSession().getAttribute("LOGIN_USER") == null) { //checks if there a LOGIN_USER set in session... req.getRequestDispatcher("login.jsp").forward(req, resp); //or page where you want to redirect } else { String userType = (String) req.getSession().getAttribute("LOGIN_USER"); if (userType.equals("ADMIN")){ //check if user type is admin fc.doFilter(request, response); it redirected towards main.jsp } } } @Override public void destroy() { } }

0

user3282475 Feb 25 '14 at 8:53

source share

How about using:

 String username = request.getRemoteUser();

-4

Yster Dec 30 '15 at 14:52

source share

Joseph Caracuel · Accepted Answer · 2013-04-14T15:17:56+0000

you can try using filters :

The filter can pre-process the request before it reaches the servlet, resell the response, leaving the servlet, or do both. Filters can intercept, check, and modify requests and responses.

NOTE. be sure to add the session attribute after the user logs in, you can use this session attribute on the filter

on login.jsp :

 session.setAttribute("LOGIN_USER", user); //user entity if you have or user type of your user account... //if not set then LOGIN_USER will be null

web.xml

 <filter> <filter-name>SessionCheckFilter</filter-name> <filter-class>yourjavapackage.SessionCheckFilter</filter-class> </filter> <filter-mapping> <filter-name>SessionCheckFilter</filter-name> <!--url-pattern>/app/*</url-pattern--> <url-pattern>/main.jsp</url-pattern> <!-- url from where you implement the filtering --> </filter-mapping>

SessionCheckFilter.java

 public class SessionCheckFilter implements Filter { private String contextPath; @Override public void init(FilterConfig fc) throws ServletException { contextPath = fc.getServletContext().getContextPath(); } @Override public void doFilter(ServletRequest request, ServletResponse response, FilterChain fc) throws IOException, ServletException { HttpServletRequest req = (HttpServletRequest) request; HttpServletResponse res = (HttpServletResponse) response; if (req.getSession().getAttribute("LOGIN_USER") == null) { //checks if there a LOGIN_USER set in session... res.sendRedirect(contextPath + "/login.jsp"); //or page where you want to redirect } else { String userType = (String) req.getSession().getAttribute("LOGIN_USER"); if (!userType.equals("ADMIN")){ //check if user type is not admin res.sendRedirect(contextPath + "/login.jsp"); //or page where you want to } fc.doFilter(request, response); } } @Override public void destroy() { } }

How a JSP page should authenticate

More articles: