I haven't tried this yet, but was considering this approach:
- use one servlet to process logins and create/populate the client's
session object
- redirect the client to the first JSP page of my application
- every page statically (i.e., at translation time) includes a file that
contains a session validation scriptlet
if this code determines that the session is invalid, it redirects the
client to the login page and forwards all of the original request parameters
as well
- all request parameters are always forwarded from the login page to the
first JSP page of my application
the login serlvet takes care of getting the client to the originally
requested page
What I like about this idea is that I don't use a bean. If I use a bean,
then the page has to invoke a method on that bean to validate the session,
and that's even more scriptlet code in the page.
By using an inline scriptlet, I only have to include the file containing the
scriptlet. I still think that this is a little clunky, because every page
has to include this file (which can't be enforced) at a particular location
in the page, namely the top of the JSP page, or else you could get some
screwy data in your output stream.
Something that I think would help with this, and many other situations, is
if I could specify that my JSP page implements an interface. Currently, you
can only change which class a page extends, and that's a little risky and
somewhat non-portable (if you're extending a generated page class).
By extending an interface, I could enforce all pages to implement a
validation method. I guess another (non-standard) way to validate pages
would be to extend the servlet vendor specific JSP page class, implement
your validation code in this sub-class, and then have all of your pages
extend your subclass.
Any comments...
David
----- Original Message -----
From: Taylor Gautier <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Wednesday, September 22, 1999 12:59 PM
Subject: Re: User Security (was Re: Using JSP and Servlets.)
> You could force all jsp requests to go to a login page from your webserver
> (outside of your servlet engine that is).
>
> If, for example, you were running apache with jrun, then make apache
forward
> all requests for *.jsp to some login page. Internally I think the
forwards
> from the servlet to jsp pages will still work because they will use the
jrun
> engine, and so you will still be able to forward to the jsp pages.
>
> I'm not entirely sure about this technique, it's not something I had
> considered in the past, but I think it should work. Thanks for bringing
up
> the issue.
>
> This still seems a bit inelegant. You could also have a "checkLoggedIn"
> bean, but I am not sure that works because by the time the bean is
> instantiated, I don't think you can forward anywhere else. It may be able
> to do the analog of a jsp:include by calling the login page directly,
> redirecting the output to the user, closing the stream and quitting.
>
> Again I've never done any of this so it would take some experimentation to
> find the easiest/best solution.
>
> -tg
>
> ----- Original Message -----
> From: Brien Voorhees <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>
> Sent: Wednesday, September 22, 1999 10:24 AM
> Subject: User Security (was Re: Using JSP and Servlets.)
>
>
> > I just recently subscribed to this list and have already found several
> > of your posts to be useful. Thanks for spreading the knowledge, Craig.
:)
> >
> > I've always liked separating presentation logic and will likely use a
> > JSP-Presentation/Servlet-Logic approach as you suggest. One aspect that
> > seems like it will be a hassle is preventing a user access to restricted
> > areas of the website. It looks like, for one request, I'll need to
verify
> > that the user making the request is valid in both the servlet and the
> > JSP(since even jsp's meant to be called only from servlets can be typed
in
> > as a URL) . Has this been your experience? I can derive my servlets
from
> > some sort of ProtectedServlet base class to handle most of the checking
> > logic but it still seems like a pain. I hate to force all my JSP's to
> have
> > user-checking java code embedded in them since the goal is that a
> > non-programmer web designer can create all the presentation files.
> >
> > Would taglibs help? I haven't found much documentation on taglibs so
> far.
> >
> > Brien Voorhees
> >
> > ----- Original Message -----
> > From: Craig R. McClanahan <[EMAIL PROTECTED]>
> > To: <[EMAIL PROTECTED]>
> > Sent: Tuesday, September 21, 1999 3:59 PM
> > Subject: Re: Using JSP and Servlets.
> >
> >
> > > This is exactly how I write my JSP-based applications.
> > >
> > > Basically, any form in my app is submitted to a servlet, which does
> > whatever functional logic
> > > is required, assembles the results into beans, stashes them in the
> request
> > or session
> > > (depending on how long the information needs to last), and forwards
> > control to the JSP page.
> > > Thus, my servlet might have some code like this:
> > >
> > > MyBean myBean = new MyBean(....); // Set up a bean with the
> answers
> > > request.setAttribute("myBean", myBean);
> > > RequestDispatcher rd =
> > getServletContext().getRequestDispatcher("/nextpage.jsp");
> > > rd.forward(request, response);
> > > return;
> > >
> > > In the JSP page named "nextpage.jsp", all I have to do to access this
> bean
> > is declare it:
> > >
> > > <jsp:useBean id="myBean" scope="request" class="MyBean" />
> > >
> > >
> > > Craig McClanahan
> >
> >
>
===========================================================================
> > To unsubscribe: mailto [EMAIL PROTECTED] with body: "signoff
> JSP-INTEREST".
> > FAQs on JSP can be found at:
> > http://java.sun.com/products/jsp/faq.html
> > http://www.esperanto.org.nz/jsp/jspfaq.html
> >
>
>
===========================================================================
> To unsubscribe: mailto [EMAIL PROTECTED] with body: "signoff
JSP-INTEREST".
> FAQs on JSP can be found at:
> http://java.sun.com/products/jsp/faq.html
> http://www.esperanto.org.nz/jsp/jspfaq.html
>
===========================================================================
To unsubscribe: mailto [EMAIL PROTECTED] with body: "signoff JSP-INTEREST".
FAQs on JSP can be found at:
http://java.sun.com/products/jsp/faq.html
http://www.esperanto.org.nz/jsp/jspfaq.html
