I have a simple user application. I have a MainController Servlet that will be in charge of general interaction in the application. This servlet will be "listening" for url-patterns: /, /index, etc (any other form of index). I also have an UserController Servlet that is in charge of login among other things, this one "listens" from /CheckLogin url-pattern.
I have form in a jsp, in the url /, that when I submit it, it points to the servlet at /CheckLogin. Then UserController servlet process it and either the login is ok or wrong it redirect to / (the MainController will be in charge of determining the page to show depending if the user logged in or not).
All work flawlessly except that after submitting the first time, then the form page has url /CheckLogin. I would like to remove it and show only / (even if logged or not). How do I do this (plain Java EE, not Spring or any other framework)?
I'm not sure if this is what you're looking for, but if you do a forward instead of a redirect, the URL on the client browser will not be updated: RequestDispatcher#forward(javax.servlet.ServletRequest, javax.servlet.ServletResponse; an explanation can be found at Forward vs Redirect.
In addition, it might be a better idea to implement authentication as a Filter instead of a Servlet; that way, the Filter can be used to intercept any URL you deem needs to be secured.
Is there a specific reason you're not using a web framework? They're meant to take care of things security and routing for you, generally.
Related
some of you advise me to handle sessions using filters. I studied a little about the filter following some guides found on the internet, and wrote a filter referring this guide.
I saw that the filter is called for every component of my page (css, images etc); is there a way to call it just when a jsp or a servlet is load? I need a method that can understand if jsp or a servlet is load, in order to make some stuff inside my filter.
Yes, you can do that. Just change the url-pattern for your session filter.
If you are using some web framework (spring mvc,...) with one dispatching servlet, you can map your filter only to this servlet using servlet-name and requests to other resources (js, css) will not be intercepted by this filter.
First off, please don't be misled by the purpose of the tutorial in the link you have specified. Session handling is always done through cookies, URL-rewriting (or for the more advanced, SSL). He's merely using filters to enhance application security, by ensuring the user is redirected to the login page, whenever he goes directly to an "avoid-url".
Think about a filter, a physical filter. Whether it be an excel filter or a physical gravel filter. It stands between one thing and another thing:
Java web filters can do the same thing:
Just like you can choose which water bottle to filter, you can decide which requests you want to filter. You do that using the filter-mapping element in web.xml. You can specify individual servlet names, or a url pattern.
I am new to servlets, and would like to follow the Model2 paradigm by keeping all my "code" in servlets, and html/beans in jsp pages. But, is there a way to run a servlet when I access a jsp page without using a form submission. For example, I have a login page. If the user logs in and then somehow goes back to the login page I want to check for the existance of their session and automatically move them on to their welcome page. This is one real world example, but it seems it would come in handy to run code without having to submit a form for a multitude of reasons.
you dont have to submit a form to invoke a servlet. All you have to do is have the browser hit the url that is mapped to the servlet. That could happen when submitting a form, clicking a link, invoking an xhr, using curl or wget from the command line, etc.
Also, keeping all code in servlets is not good design. Your servlets should handle incoming requests, invoke business logic implemented in separate classes (for good modularity and testing purposes), and return the appropriate response.
If I recall correctly, in Model2, the user never navigates to (JSP) pages - only controllers (servlets). Trying to access a lower layer of code (a servlet) direcltly from a view (the page) is a violation of MVC/Model2.
I used jdbcRealm in my web application and it's working fine. I defined all constraints also in my web.xml. Like all pages of url pattern /Admin/* should be accessed by only admin. I have a login form with uses standard j_security_check, j_username and j_password.
Now, when i type Admin/home.jsf it rightly redirects me login.jsf and there when i type the password i am redirected to home.jsf. This works alright but problem comes i directly go to login.jsf and then type password and username. This time it again redirects me to login.jsf. Is there any way through which i can specify which page to go when successful login is there? I need to specify different different pages for different roles. For Admin, it is /Admin/home.jsf for general users it is /General/home.jsf because login form is shared between different type of users. Where do i specify all these things?
Secondly, i want to have a remember me checkbox at the end of login form. How do i do this? By default, it is submitted to j_security_check servlet and i have no control over its execution. Please help. This doesn't seem so hard but looks like i am missing something.
I found the answer to my own question. This is for any newbie who drop on this thread in future. Ok, the solution that i found after much thinking is that i make one folder and one jsp page say flag.jsp. Next, I give access to it to all the roles.
Now, you might be wondering what good would that do?:) Well, just follow it and you might be done. :p
Next in your welcome-file in web.xml mention the url of this file. Thus, when application starts it will go to this url and container will find that i am unauthenticated thus redirect me to login page. That's it. Now, the final part is you can write simple scriplets in our shared roles jsp file and redirect to home based on role.
Eg. if httpservletrequest#isUserInRole("Admin") then redirect to "/admin/home.jsf" and so on.
Well, this is not so efficient but important thing is that it works! :). This idea accidently bumped to me today. I guess, now i can rest and use container managed security easily. Waiting for your comments.
I am a Spring/JavaEE web programmer and am starting to investigate the principles of REST for future web applications, but I can't figure out how to do usable logins. For a Web API it makes sense, but what about end user facing web applications? I have looked into the HTTP Basic/Digest Authentication but that only produces an ugly dialog box. Anyone have any ideas?
That really depends on how you approach form-based login.
The way it's defined in J2EE spec, login page is only shown to the (yet authenticated) user when s/he tries to access a protected resource; it's not (or should not be) accessible by itself. In that scenario login page does not have to be governed by REST principles as it's not a "resource" by itself. In other words, the workflow is:
User tries to GET REST url, '/products/0332425'
S/he is redirected to '/login', POSTs his credentials, is redirected back (as GET) to the original page ('/products/0332425')
Subsequent attempts to get to '/login' result in error (403?) or redirect to "root".
If that does not work for you and you need to have your login form available on multiple pages , treat it as part of the page and its submission as you would any other POST.
I have a small application with 3-4 servlets and a basic module that provide me authentication like:
public class Authentication {
public boolean isUserAuthenticated(){
....
}
}
Is there a way to check the authentication using my class BEFORE every other servlet calls, without have to add code in each of them? I'd like to avoid the check of the user for every servlet I have and for every servlet I will have to add.
Any suggestion is well accepted :)
Thanks, Roberto
Absolutely, use a servlet filter. It's the standard way of implementing security in Java Web applications.
The Java Servlet specification version
2.3 introduces a new component type, called a filter. A filter dynamically
intercepts requests and responses to
transform or use the information
contained in the requests or
responses. Filters typically do not
themselves create responses, but
instead provide universal functions
that can be "attached" to any type of
servlet or JSP page.
You can put your authentication logic in a Servlet Filter. If the filter finds a request not authenticated, it can redirect the user to a login page (or whatever).
Anything that gets to a servlet is implicitly authenticated by then.
Use Acegi Security (now Spring Security). Using Spring will also make your life easier in other ways. (Spring security works using a servlet filter as mentioned in above posts).
User Authentication can be done though servlet filters.
Check the detailed example User Authentication Filter Example