Hi Dan,
It's not that I'm religously against the "<% %>" tags (most of my
experience in this area is from ASP, where there's no choice, ugh...).
I realise that for some situations they would be required and should not
be seen as "a bad thing"/
BUT, it seems that JSP is attempting to provide a method to implement
most of the display functionality through the HTML-like tags, so why not
extend that a little bit more to cover 99% of the functionality people
require ? I don't advocate creating any more tags unless absolutely
necessary, but perhaps the <DISPLAY> tag could have an optional
attribute that would supply arguments to the bean's field get-ters ?
Anyway, back to original problem, that of triggering the authentication
check on a JSP (only, no servlet in between) page. You need to have
this check on every JSP page, so that bookmarkers are always sent back
to the login page if they don't have an authenticated session. This
sort of this can also be useful to ensure bookmarkers don't jump to a
page half-way through a business transaction without visiting the
previous pages.
Would it work to have an authentication bean that was declared with
<usebean> on every page (perhaps as part of a include file ?) that
implemented the authentication check in its processRequest() method.
>From my reading of the spec, this method is called regardless of the
scope of the bean, so you could use an application level scope. If the
authentication failed, would this bean be in a position to do a
server-side redirect to the login page ?
Thanks
Drew Cox
Barrack Consulting
> -----Original Message-----
> From: Kirkdorffer, Daniel [SMTP:[EMAIL PROTECTED]]
> Sent: Thursday, 1 April 1999 2:28
> To: [EMAIL PROTECTED]
> Subject: Re: How to force user to login
>
> Why is everyone wishing for us to create new specialized tags? What
> is
> wrong with writing Java code in <% %> tags? These are *Java*Server
> Pages
> after all. Come on people, you have all the flexibility in the world
> with
> the <% %> tags.
>
> Dan
>
> > ----------
> > From: Drew Cox[SMTP:[EMAIL PROTECTED]]
> > Reply To: Drew Cox
> > Sent: Tuesday, March 30, 1999 6:31 PM
> > To: [EMAIL PROTECTED]
> > Subject: Re: How to force user to login
> >
> > Hi all,
> >
> > I think I understand the basic mechanism you need to implement to
> force
> > un-authenticated users to a login screen by checking for specific
> > information that is stored in the session when they login
> successfully.
> >
> > My questions is, is there a method to invoke this authentication
> check
> > on JSP pages using only the JSP tags, rather than embedding the
> required
> > Java code in "<% %>" tags ? As has been discussed frequently on
> this
> > list previsouly, it's very nice if you can keep the JSP pages pure
> HTML
> > and JSP tags.
> >
> > I'm thinking this situation could be staistfied if there was a tag
> that
> > allowed you to invoke abitary methods on a bean (even passing
> > parameters!). This facility would actually solve a LOT of design
> > queries I am having at the moment, while still keeping the HTML
> monkeys
> > out of the Java code.
> >
> > Another thought is that perhaps this can be done by a
> > page(request?)-scope bean with the functionality embedded in it's
> > constructor (or is there some other method that is invoked when a
> bean
> > is instantiated ?).
> >
> > Apologies for my ignorance of JSP, I have read the spec, but I'm
> just
> > starting out....
> >
> > Drew
> >
> > > -----Original Message-----
> > > From: Kirkdorffer, Daniel [SMTP:[EMAIL PROTECTED]]
> > > Sent: Wednesday, 31 March 1999 3:24
> > > To: [EMAIL PROTECTED]
> > > Subject: Re: How to force user to login
> > >
> > > Andre,
> > >
> > > What if your user accesses multiple applications with their one
> > > browser
> > > session, and these also have a CustomerID. I think it is a good
> idea
> > > to
> > > consider application space when working with session storage. At
> > > first we
> > > didn't consider doing that, but as we developed more web apps with
> JSP
> > > discovered we had to to protect what each app would store with
> > > session, and
> > > to ensure logging in to one app didn't bypass the need to log in
> to
> > > another.
> > >
> > > I also think that people should avoid doing explicit
> > > session.invalidate(),
> > > which could wipe out session info used elsewhere. Browser
> shutdown,
> > > session
> > > timeout, or removal of application specific stuff on app exit are
> the
> > > better
> > > alternatives.
> > >
> > > Dan
> > >
> > > > ----------
> > > > From: Andre Richards[SMTP:[EMAIL PROTECTED]]
> > > > Reply To: Andre Richards
> > > > Sent: Monday, March 29, 1999 10:17 PM
> > > > To: [EMAIL PROTECTED]
> > > > Subject: Re: How to force user to login
> > > >
> > > > I did as follows:
> > > > On every page which must be authenticated, I check for a user ID
> in
> > > the
> > > > session object - if it doesn't exit, I do a redirect to a login
> > > page,
> > > > passing the url the user was trying to access as a parameter.
> > > >
> > > > On the login page, if the user successfully logs in, I create a
> > > session
> > > > for
> > > > him/her, and add the user ID to the session. I then redirect
> back to
> > > the
> > > > original page the user tried to access. This way, even if the
> user
> > > > bookmarks
> > > > a page, he/she will be asked to login once the session has
> become
> > > invalid.
> > > >
> > > > Some code:
> > > > On every page I add the following:
> > > >
> > > > HttpSession session = request.getSession(true);
> > > > if (session.getValue("CustomerID") == null) {
> > > > response.sendRedirect (response.encodeRedirectUrl
> > > > ("Login.jsp?Origin=SharePortfolio.jsp"));
> > > > }
> > > > else {
> > > > // the rest of the page ...
> > > >
> > > > In Login.jsp once the user has provided the correct logon
> > > credentials:
> > > > session.putValue("CustomerID", CustomerID);
> > > > response.sendRedirect
> > > > (response.encodeRedirectUrl(request.getParameter("Origin")));
> > > >
> > > >
> > > > -----Original Message-----
> > > > From: Andrey Sazonov <[EMAIL PROTECTED]>
> > > > To: [EMAIL PROTECTED] <[EMAIL PROTECTED]>
> > > > Date: Friday, March 26, 1999 6:42 PM
> > > > Subject: How to force user to login
> > > >
> > > >
> > > > >Hi all!
> > > > >
> > > > >I have following design problem and I hope anybody can help
> me.I
> > > need to
> > > > >develop web based
> > > > >access to the database. Every user who try to work with this
> system
> > > need
> > > > to
> > > > >log in before real access
> > > > >to database. It works fine with session tracking mechanism
> (access
> > > to
> > > > >database provided by set
> > > > >of appropriate servlets and beans).
> > > > >But problem occurs when the user bookmarked some page and the
> tries
> > > to
> > > > come
> > > > >directly to bookmarked page.
> > > > >Does anybody know the way how to prevent this and show login
> page
> > > instead
> > > > >bookmarked one?
> > > > >
> > > > >I think this could be implemented by processing of all request
> to
> > > whole
> > > > site
> > > > >by one servlet, which will
> > > > >further dispatch all requests, but I'm afraid this could apply
> > > additional
> > > > >bottleneck to system.
> > > > >
> > > > >---------------------------
> > > > >Sincerely
> > > > >Andrey Sazonov
> > > > >([EMAIL PROTECTED])
> > > > >
> > > >
> > >
> >=====================================================================
> > > ====
> > > > ==
> > > > >To unsubscribe, send email to [EMAIL PROTECTED] and include
> in
> > > the
> > > > body
> > > > >of the message "signoff JSP-INTEREST". For general help, send
> > > email to
> > > > >[EMAIL PROTECTED] and include in the body of the message
> > > "help".
> > > >
> > > >
> > >
> ======================================================================
> > > ====
> > > > =
> > > > To unsubscribe, send email to [EMAIL PROTECTED] and include
> in
> > > the
> > > > body
> > > > of the message "signoff JSP-INTEREST". For general help, send
> email
> > > to
> > > > [EMAIL PROTECTED] and include in the body of the message
> "help".
> > > >
> > >
> > >
> ======================================================================
> > > =====
> > > To unsubscribe, send email to [EMAIL PROTECTED] and include in
> the
> > > body
> > > of the message "signoff JSP-INTEREST". For general help, send
> email
> > > to
> > > [EMAIL PROTECTED] and include in the body of the message
> "help".
> >
> >
> ======================================================================
> ====
> > =
> > To unsubscribe, send email to [EMAIL PROTECTED] and include in
> the
> > body
> > of the message "signoff JSP-INTEREST". For general help, send email
> to
> > [EMAIL PROTECTED] and include in the body of the message "help".
> >
>
> ======================================================================
> =====
> To unsubscribe, send email to [EMAIL PROTECTED] and include in the
> body
> of the message "signoff JSP-INTEREST". For general help, send email
> to
> [EMAIL PROTECTED] and include in the body of the message "help".
===========================================================================
To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
of the message "signoff JSP-INTEREST". For general help, send email to
[EMAIL PROTECTED] and include in the body of the message "help".
