You could force all jsp requests to go to a login page from your webserver
(outside of your servlet engine that is).
If, for example, you were running apache with jrun, then make apache forward
all requests for *.jsp to some login page. Internally I think the forwards
from the servlet to jsp pages will still work because they will use the jrun
engine, and so you will still be able to forward to the jsp pages.
I'm not entirely sure about this technique, it's not something I had
considered in the past, but I think it should work. Thanks for bringing up
the issue.
This still seems a bit inelegant. You could also have a "checkLoggedIn"
bean, but I am not sure that works because by the time the bean is
instantiated, I don't think you can forward anywhere else. It may be able
to do the analog of a jsp:include by calling the login page directly,
redirecting the output to the user, closing the stream and quitting.
Again I've never done any of this so it would take some experimentation to
find the easiest/best solution.
-tg
----- Original Message -----
From: Brien Voorhees <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Wednesday, September 22, 1999 10:24 AM
Subject: User Security (was Re: Using JSP and Servlets.)
> I just recently subscribed to this list and have already found several
> of your posts to be useful. Thanks for spreading the knowledge, Craig. :)
>
> I've always liked separating presentation logic and will likely use a
> JSP-Presentation/Servlet-Logic approach as you suggest. One aspect that
> seems like it will be a hassle is preventing a user access to restricted
> areas of the website. It looks like, for one request, I'll need to verify
> that the user making the request is valid in both the servlet and the
> JSP(since even jsp's meant to be called only from servlets can be typed in
> as a URL) . Has this been your experience? I can derive my servlets from
> some sort of ProtectedServlet base class to handle most of the checking
> logic but it still seems like a pain. I hate to force all my JSP's to
have
> user-checking java code embedded in them since the goal is that a
> non-programmer web designer can create all the presentation files.
>
> Would taglibs help? I haven't found much documentation on taglibs so
far.
>
> Brien Voorhees
>
> ----- Original Message -----
> From: Craig R. McClanahan <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>
> Sent: Tuesday, September 21, 1999 3:59 PM
> Subject: Re: Using JSP and Servlets.
>
>
> > This is exactly how I write my JSP-based applications.
> >
> > Basically, any form in my app is submitted to a servlet, which does
> whatever functional logic
> > is required, assembles the results into beans, stashes them in the
request
> or session
> > (depending on how long the information needs to last), and forwards
> control to the JSP page.
> > Thus, my servlet might have some code like this:
> >
> > MyBean myBean = new MyBean(....); // Set up a bean with the
answers
> > request.setAttribute("myBean", myBean);
> > RequestDispatcher rd =
> getServletContext().getRequestDispatcher("/nextpage.jsp");
> > rd.forward(request, response);
> > return;
> >
> > In the JSP page named "nextpage.jsp", all I have to do to access this
bean
> is declare it:
> >
> > <jsp:useBean id="myBean" scope="request" class="MyBean" />
> >
> >
> > Craig McClanahan
>
>
===========================================================================
> To unsubscribe: mailto [EMAIL PROTECTED] with body: "signoff
JSP-INTEREST".
> FAQs on JSP can be found at:
> http://java.sun.com/products/jsp/faq.html
> http://www.esperanto.org.nz/jsp/jspfaq.html
>
===========================================================================
To unsubscribe: mailto [EMAIL PROTECTED] with body: "signoff JSP-INTEREST".
FAQs on JSP can be found at:
http://java.sun.com/products/jsp/faq.html
http://www.esperanto.org.nz/jsp/jspfaq.html
