Hi all,
I think I understand the basic mechanism you need to implement to force
un-authenticated users to a login screen by checking for specific
information that is stored in the session when they login successfully.
My questions is, is there a method to invoke this authentication check
on JSP pages using only the JSP tags, rather than embedding the required
Java code in "<% %>" tags ? As has been discussed frequently on this
list previsouly, it's very nice if you can keep the JSP pages pure HTML
and JSP tags.
I'm thinking this situation could be staistfied if there was a tag that
allowed you to invoke abitary methods on a bean (even passing
parameters!). This facility would actually solve a LOT of design
queries I am having at the moment, while still keeping the HTML monkeys
out of the Java code.
Another thought is that perhaps this can be done by a
page(request?)-scope bean with the functionality embedded in it's
constructor (or is there some other method that is invoked when a bean
is instantiated ?).
Apologies for my ignorance of JSP, I have read the spec, but I'm just
starting out....
Drew
> -----Original Message-----
> From: Kirkdorffer, Daniel [SMTP:[EMAIL PROTECTED]]
> Sent: Wednesday, 31 March 1999 3:24
> To: [EMAIL PROTECTED]
> Subject: Re: How to force user to login
>
> Andre,
>
> What if your user accesses multiple applications with their one
> browser
> session, and these also have a CustomerID. I think it is a good idea
> to
> consider application space when working with session storage. At
> first we
> didn't consider doing that, but as we developed more web apps with JSP
> discovered we had to to protect what each app would store with
> session, and
> to ensure logging in to one app didn't bypass the need to log in to
> another.
>
> I also think that people should avoid doing explicit
> session.invalidate(),
> which could wipe out session info used elsewhere. Browser shutdown,
> session
> timeout, or removal of application specific stuff on app exit are the
> better
> alternatives.
>
> Dan
>
> > ----------
> > From: Andre Richards[SMTP:[EMAIL PROTECTED]]
> > Reply To: Andre Richards
> > Sent: Monday, March 29, 1999 10:17 PM
> > To: [EMAIL PROTECTED]
> > Subject: Re: How to force user to login
> >
> > I did as follows:
> > On every page which must be authenticated, I check for a user ID in
> the
> > session object - if it doesn't exit, I do a redirect to a login
> page,
> > passing the url the user was trying to access as a parameter.
> >
> > On the login page, if the user successfully logs in, I create a
> session
> > for
> > him/her, and add the user ID to the session. I then redirect back to
> the
> > original page the user tried to access. This way, even if the user
> > bookmarks
> > a page, he/she will be asked to login once the session has become
> invalid.
> >
> > Some code:
> > On every page I add the following:
> >
> > HttpSession session = request.getSession(true);
> > if (session.getValue("CustomerID") == null) {
> > response.sendRedirect (response.encodeRedirectUrl
> > ("Login.jsp?Origin=SharePortfolio.jsp"));
> > }
> > else {
> > // the rest of the page ...
> >
> > In Login.jsp once the user has provided the correct logon
> credentials:
> > session.putValue("CustomerID", CustomerID);
> > response.sendRedirect
> > (response.encodeRedirectUrl(request.getParameter("Origin")));
> >
> >
> > -----Original Message-----
> > From: Andrey Sazonov <[EMAIL PROTECTED]>
> > To: [EMAIL PROTECTED] <[EMAIL PROTECTED]>
> > Date: Friday, March 26, 1999 6:42 PM
> > Subject: How to force user to login
> >
> >
> > >Hi all!
> > >
> > >I have following design problem and I hope anybody can help me.I
> need to
> > >develop web based
> > >access to the database. Every user who try to work with this system
> need
> > to
> > >log in before real access
> > >to database. It works fine with session tracking mechanism (access
> to
> > >database provided by set
> > >of appropriate servlets and beans).
> > >But problem occurs when the user bookmarked some page and the tries
> to
> > come
> > >directly to bookmarked page.
> > >Does anybody know the way how to prevent this and show login page
> instead
> > >bookmarked one?
> > >
> > >I think this could be implemented by processing of all request to
> whole
> > site
> > >by one servlet, which will
> > >further dispatch all requests, but I'm afraid this could apply
> additional
> > >bottleneck to system.
> > >
> > >---------------------------
> > >Sincerely
> > >Andrey Sazonov
> > >([EMAIL PROTECTED])
> > >
> >
> >=====================================================================
> ====
> > ==
> > >To unsubscribe, send email to [EMAIL PROTECTED] and include in
> the
> > body
> > >of the message "signoff JSP-INTEREST". For general help, send
> email to
> > >[EMAIL PROTECTED] and include in the body of the message
> "help".
> >
> >
> ======================================================================
> ====
> > =
> > To unsubscribe, send email to [EMAIL PROTECTED] and include in
> the
> > body
> > of the message "signoff JSP-INTEREST". For general help, send email
> to
> > [EMAIL PROTECTED] and include in the body of the message "help".
> >
>
> ======================================================================
> =====
> To unsubscribe, send email to [EMAIL PROTECTED] and include in the
> body
> of the message "signoff JSP-INTEREST". For general help, send email
> to
> [EMAIL PROTECTED] and include in the body of the message "help".
===========================================================================
To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
of the message "signoff JSP-INTEREST". For general help, send email to
[EMAIL PROTECTED] and include in the body of the message "help".
