Search code examples
javajspauthenticationweb-applications

How JSP page should check authentication

I am new to web programming. I am asking a common pattern to do things like checking authentication. Here is the scenario:

The website has a login page for visitors. It will take username and encrypted password and sent them to server, then get either a error code (username/password doesn't match)or an auth key from the server. When the user logged in successfully, I want the website automatically jump to the main.jsp page that presents the main functionality of the website.

In this case, I want main.jsp check the user authentication. That is, I don't want such thing happens like user can directly open www.example.com/main.jsp, and if they did thing like this, I want to redirect them to login page.

So how could I pass authentication information across page, and how could I prevent user from directly accessing the main.jsp without login? Do I need to use session or anything?

Solution

  • you could try using filters:

    Filter can pre-process a request before it reaches a servlet, post-process a response leaving a servlet, or do both. Filters can intercept, examine, and modify requests and responses.

    NOTE: be sure to add a session attribute once your user is logged in, you can use that session attribute on the filter

    on your login.jsp add:

    session.setAttribute("LOGIN_USER", user); 
//user entity if you have or user type of your user account... 
//if not set then LOGIN_USER will be null

    web.xml

    <filter>
    <filter-name>SessionCheckFilter</filter-name>
    <filter-class>yourjavapackage.SessionCheckFilter</filter-class>
</filter>
<filter-mapping>
    <filter-name>SessionCheckFilter</filter-name>
    <!--url-pattern>/app/*</url-pattern-->
    <url-pattern>/main.jsp</url-pattern> <!-- url from where you implement the filtering -->
</filter-mapping>

    SessionCheckFilter.java

    public class SessionCheckFilter implements Filter {

  private String contextPath;

  @Override
  public void init(FilterConfig fc) throws ServletException {
    contextPath = fc.getServletContext().getContextPath();
  }

  @Override
  public void doFilter(ServletRequest request, ServletResponse response, FilterChain fc) throws IOException, ServletException {
    HttpServletRequest req = (HttpServletRequest) request;
    HttpServletResponse res = (HttpServletResponse) response;  

    if (req.getSession().getAttribute("LOGIN_USER") == null) { //checks if there's a LOGIN_USER set in session...
        res.sendRedirect(contextPath + "/login.jsp"); //or page where you want to redirect
    } else {
      String userType = (String) req.getSession().getAttribute("LOGIN_USER");
      if (!userType.equals("ADMIN")){ //check if user type is not admin
        res.sendRedirect(contextPath + "/login.jsp"); //or page where you want to  
      }
      fc.doFilter(request, response);
    }
  }

  @Override
  public void destroy() {
  }
}