Well, there are many ways. But, the way we do it is quite easy actually.
Assuming you have a database set up, and a table called LoginTable, we'll
go from there.
Ideally, you would have a JSP page with a form on it, that allows them to
enter their use name and password. When submitted your JavaBean used on the
JSP page would have a submit() method you create, that is called when the
form is submitted. Now, that method gets a database connection, opens up
the LoginTable and does a SQL query on that table something like: "SELECT *
FROM LoginTable where user_name=%%LOGIN_NAME%% and
user_password=%%LOGIN_PASSWORD%%". I forget the exact syntax..I dont do the
SQL here. The %%xxx%% tokens would be replaced with the actual name and
password entered (as variables). That would then return a ResultSet that
would indicate if the name/password existed or not. If they did, the
ResultSet would return with their information that is stored in the table
(maybe a profile, such as address, city, state, zip, full name, etc...or an
ID that links them to another table with that info). If not, ResultSet
would return null. You check for it, and if its not null, they can log in.
There are other issues to think about. First, ideally you do NOT want any
inside pages to be accessed unless a client has logged in. If they type the
direct url in the line, or come to your site via a bookmark, you do NOT
want them to see any inside pages (usually) without a valid login. You also
dont want them to be able to save a bookmark with their user_id that
permits them in. Always make them log in. That is the idea behind all this.
So, what I do is I include a HEADER on every single page. Our site has an
"outside" and an "inside". This HEADER determines if the page is an outside
page or inside page based on a "variable" (using JSP 1.0) that every single
page sets before the HEADER is included. Based on the variable value (-1 =
outside, 0 = neutral, 1 = inside), it knows to check or not for a login.
Now, how you check to see if someone is logged in is the HttpSession. When
a user logs in, you add an object to the HttpSession. ONLY if they are
logged in does this object exist. So, when a user types in an inside page
or uses a bookmark BEFORE logging in, the header sees that the page is an
INSIDE page and checks for the object. Since the object wont exist without
them logging in, it redirects them to the main outside page. No matter what
inside page they try to go to, it ALWAYS works because EVERY page includes
this one header file.
There are other ways too. I will eliminate the "flag" variable one of these
days in favor of seeing if the word /inside is in the URI. If it is, its an
INSIDE page. ALL of my inside pages are in the /inside folder, so that I
always keep them in a nice order. Its easy for me to find inside pages from
outside pages (/outside).
That is how I do it anyways. I dont know if its the best way, but it is
working. Keep in mind you will want to validate the entries of forms too.
If for example you only allow a-z and A-Z for login names and passwords, no
spaces, no numbers, etc, then you need a validation routine to check for
that. I would choose JavaScript over server-side since it can give
immediate results and not require a server hit and cpu time on the server
to validate a form. However, I have been told that both should be used, or
server-side validation, but not just javascript. I personally dont see any
reason why its so bad. Infact, I have laid out my forms in JSP pages rather
pleasingly in my eye. I put a "hidden" white image next to every field.
When the form is submitted, it calls a javascript routine that takes the
index of the form on the page, goes through EVERY element of the form, and
validates it based on a "hidden" field right before the field to be
validated. The hidden field dictates the type of validation to be done on
the next field. If the field doesnt validate, it displays a red arrow next
to the field, so the specific field is displayed and the user knows its
incorrect. This does use JavaScript, so your site will require javascript
enabled browsers to use this ability. If you are doing a site that must
work with browsers that may not have javascript, then ofcourse the choice
is server-side validation. But, since we target a select group of people,
we only allow MSIE/NS 4+ browsers with javascript and cookies enabled to
our site. Its nice to be able to target a small group of people! Has its
advantages anyways.
If you have any questions, feel free to ask.
Kevin Duffey
Software Engineer
[EMAIL PROTECTED]
===========================================================================
To unsubscribe: mailto [EMAIL PROTECTED] with body: "signoff JSP-INTEREST".
FAQs on JSP can be found at:
http://java.sun.com/products/jsp/faq.html
http://www.esperanto.org.nz/jsp/jspfaq.html
