I'm trying to set up access to a static HTML page - lets call it search.html.
I understand I can use cookies for this task, but is it possible with servlet sessions?
What options are there so access is only provided once a user is logged in? I have a login servlet that forwards to search.html however I only want this to be access once a user is logged in and a session is created.
Thanks
When the user logs in you store something in the Session indicating that. This can be as simple as a boolean flag or a full User object with roles etc. Then you write a filter which checks the presence of this flag or the roles of the user etc. Depending on the outcome you either let the reqest through or deny it with 403 Forbidden. Filters can be configured to paths in the web.xml.
Related
I have created a simple login page which in turn redirects to the list of file contents. I do have three separate servlets. LoginServlet, LogoutServlet and FileUploadServlet. Where the Login and Logoutservlet redirects to the main page. But the FileUploadServlet will display the page with the two text fields along with a file upload. When the user type the url with the FileUploadServlet name directly the page loads without logging in. How to restrict accessing this. Please help me.
You could use AuthenticationFilters in web.xml. Please add a filter and write a method to authenticate every request whether it is valid or not.
The session Attributes can be used for validation. Like, during login, the session attributes can be set if credentials are valid, and so when the next request is made, the session attributes can be sent along with the request, which can be used for authenticating it. If the request doesn't have that session attribute, you could just scrap that request.
I have a web app that uses a Java Bean for login functions right now and all of the JSP pages check the Bean to make sure the user is logged in. I am also introducing some AJAX functionality now with servlets and I see that of course those exchanges don't check authentication. I'm wondering how I should handle this. For example, I don't want someone to be able to logout, hit back button, then submit something with the AJAX functions successfully.
I can't access the bean from the servlet to check the login (totally wrong context and static vs non-static). I guess I could set a flag with the user entry in the database table denoting logged in or not. Then I can detect timeout logoffs and update the flag as well. But that way would require extra database accesses every time something is done. It would duplicate functionality in some way, but I guess I could perhaps use that just for the AJAX stuff. One difference with that would be the user would not be able to be logged in on multiple places at once as currently.
How is this kind of thing normally done?
Thanks for any help!
You could use session to store that flag instead of the database, and when the user logs out you should remove that flag and destroy the session. In login method
HttpSession session = req.getSession(true);
session.setAttribute("loggedIn",true)
And in your AJAX code
if(eq.getSession(true).getAttribute("loggedIn")==true)
doWork();
else
error("not logged in");
The webcontainer will handle timeouts for you, keep track of each user and his session, and so on.
But I would recommend that you use a standard for managing authntication
[JEE, MVC-JSP+Servlets, TomEE]
Using form based declarative authentication (container managed). Is it possible to explicitly set UserPrincipal? (to log some user in).
I know I can check whether there is logged in user or not with request.getUserPrincipal()!=null.
Actually I am facing following situation: I have a register.jsp that is being used for new users registration. So data from this jsp are sent to servlet where new user object is created and persisted to database. So, now when user has registered, he/she should be automatically logged in. So, I was thinking how can I implement this automatic login after registration.
If you are on Servlet 3.0 and above, use HttpServletRequest.login().
I am developing a web application in Struts. I have a requirement that I have to check that a session exists for user. If the user session exists then user can access the resource, or I need to check session variable existence before accessing every JSP page.
For that I make use of filter where I check for the session variable existence. But when I use filter, every request is routed to that filter--even the login page request is routed to filter. The login page doesn't need the filter check applied, what to do for this?
This is typical session filter use case. For login page request, not to be filtered, you need have a different URL for login page which will be excluded in the URL mapping for the filter.
OR
In the filter itself, you can check what is the requested URL, its login page then don't check for the session. But I would recommend the earlier approach because its rightly address the Separation of Concern philosophy.
I'm a novice at JSF and I got a couple of questions concerning organizing user authentication there.
1) How can i redirect the registered user to a welcome page (for example welcome.xhtml)? I heard about using Filter or navigation-rule tag, but i didn't found a full-blown tutorial of how it works.
2) How can i tell the server that unauthorized users can access not only the login page but also the registration page? Is there an analog for ASP.NET web.config tag or something like this?
The solution for requirement 1) is already achieved by the solution for requirement 2). You just let the user go to that URL directly. If the user is after all not logged in, then redirect them to the register/login page. That's how it normally works.
You need to implement a Filter which listens on an url-pattern matching the secured pages. E.g. /secured/*, /protected/*, etc. In the doFilter() method you just check for the presence of the logged in User in the current session and handle accordingly. Here's a basic kickoff example:
if (((HttpServletRequest) request).getSession().getAttribute("user") == null) {
// Not logged in, redirect to login page.
response.sendRedirect("login.jsf");
} else {
// Logged in, just continue with request.
chain.doFilter(request, response);
}
To get it to work with JSF, just know the fact that JSF stores session scoped managed beans as attributes of the HttpSession with the managed bean name as key.