I have created a simple login page which in turn redirects to the list of file contents. I do have three separate servlets. LoginServlet, LogoutServlet and FileUploadServlet. Where the Login and Logoutservlet redirects to the main page. But the FileUploadServlet will display the page with the two text fields along with a file upload. When the user type the url with the FileUploadServlet name directly the page loads without logging in. How to restrict accessing this. Please help me.
You could use AuthenticationFilters in web.xml. Please add a filter and write a method to authenticate every request whether it is valid or not.
The session Attributes can be used for validation. Like, during login, the session attributes can be set if credentials are valid, and so when the next request is made, the session attributes can be sent along with the request, which can be used for authenticating it. If the request doesn't have that session attribute, you could just scrap that request.
Related
The case is: after logout the user has to be redirected to the page he was. But in case if the page cannot be accessed by anonymous (because of spring security intercept-url config), the user has to be redirected to another specific URL (e.g. homepage).
I can get the redirectUrl in LogoutSuccessHandler. After this I want to check whether this URL can be accessed by anonymous user. If not - redirect user to homepage.
So the question is: how can I check via java whether the specific URL can be accessed by anonymous user?
I'm trying to set up access to a static HTML page - lets call it search.html.
I understand I can use cookies for this task, but is it possible with servlet sessions?
What options are there so access is only provided once a user is logged in? I have a login servlet that forwards to search.html however I only want this to be access once a user is logged in and a session is created.
Thanks
When the user logs in you store something in the Session indicating that. This can be as simple as a boolean flag or a full User object with roles etc. Then you write a filter which checks the presence of this flag or the roles of the user etc. Depending on the outcome you either let the reqest through or deny it with 403 Forbidden. Filters can be configured to paths in the web.xml.
I am developing a web application in Struts. I have a requirement that I have to check that a session exists for user. If the user session exists then user can access the resource, or I need to check session variable existence before accessing every JSP page.
For that I make use of filter where I check for the session variable existence. But when I use filter, every request is routed to that filter--even the login page request is routed to filter. The login page doesn't need the filter check applied, what to do for this?
This is typical session filter use case. For login page request, not to be filtered, you need have a different URL for login page which will be excluded in the URL mapping for the filter.
OR
In the filter itself, you can check what is the requested URL, its login page then don't check for the session. But I would recommend the earlier approach because its rightly address the Separation of Concern philosophy.
I am doing an incremental JSP --> Wicket migration. I had kept the JSP appliation and doing page by page migration. I gan go and return from JSP <--> wicket pages.But my problem is in JSP my logged in user credentials are stored in a Bean (UserBean,scope:session) and in JSP on each page I check logged in user from that bean.
But how can I get these informations in wicket? so that from my JSP page if a User is logged in, on wicket page load it can read that and set suer info so that my wicket log in page does not come.
my wicket page uses wicket-auth-role and checks with:
#AuthorizeInstantiation("ADMIN") public class HomePage extends BasePage {.....}
I have my own UserDetailsServcice and MyAuthenticationWebSession in wicket.
After some attempts and help from Don Roby, here I got userID from session in wicket:
final RequestCycle requestCycle = RequestCycle.get();
WebRequest wr=(WebRequest)requestCycle.getRequest();
HttpServletRequest hsr= wr.getHttpServletRequest();
AuthenticatedWebSession session = OrbitWebSession.get();
String username = (String)hsr.getSession().getAttribute("SessionUser");
Now,exactly where can I set username,password and call authenticate so that my page does not redirects to login page? Who calls authenticate() methods and how? I have tried onBeforeRender() method on my secured page,but it does not work. :(
More code specifically around the login process might help us make a more complete answer, but basically you have to get access to the normal servlet container session and thus to that bean from somewhere in wicket. Likely the best place to put that logic is somewhere in your MyAuthenticationWebSession, so that it knows the user is logged in.
To get at the servlet container session from wicket code, you can use
httpSession =
((WebRequest)request).getHttpServletRequest().getSession();
If at the point you're putting this in your wicket code you don't already have this WebRequest object (which is likely a ServletWebRequest object), you can get it from the RequestCycle:
RequestCycle requestCycle = RequestCycle.get();
Request request = requestCycle.getRequest();
authenticate is called by AuthenticatedWebSession during the login process. Unfortunately for you, most methods in the aforementioned class are marked final so it's a bit hard to customize.
What I think you should be able to do is to use the protected method signIn(boolean value) in the constructor of your own session. You get a Request there, from that you should hopefully be able to get your "SessionUser", then extract your User via your UserDetailsService, call signIn(true) and initialize the correct roles for that user. If signIn(true) is called, you shouldn't get a redirect to login.
I've always taken for granted the JSESSIONID cookie created for every fresh request for a given client when developing applications using the servlet specification. But after giving it a bit of thought, isn't is more logical for the servlet container to create a cookie header only after the session has been requested and created in code? For clients who have their cookies disabled, won't it end up creating a new HttpSession for each request made?
Please let me know if the question is still unclear so I can edit it. TIA.
A new Session will not be created by the Servlet container by default unless the Servlet actually creates it explicitly. Just because in the Header a JSEESIONID is being populated does not mean that there has to be a seesion on the server. An exception to this is in JSPs that by default create a Session if one is not there unless <%# page session="false" %>
As far as not having cookies turned on:
A web container can use several
methods to associate a session with a
user, all of which involve passing an
identifier between the client and the
server. The identifier can be
maintained on the client as a cookie,
or the web component can include the
identifier in every URL that is
returned to the client.
If your application uses session
objects, you must ensure that session
tracking is enabled by having the
application rewrite URLs whenever the
client turns off cookies. You do this
by calling the response's
encodeURL(URL) method on all URLs
returned by a servlet. This method
includes the session ID in the URL
only if cookies are disabled;
otherwise, it returns the URL
unchanged.