views:

111

answers:

3

In it's simplest form, I want an interceptor that checks session data to see if a user is logged in, and if not redirects them to the login page. Obviously, I wouldn't want this interceptor to be used on say the welcome page or the login page itself.

I've seen a design that uses a listing of every url to one of two interceptors, one doing nothing and the other being the actual interceptor you want implemented, but this design seems very clunky and limits the ease of extensibility of the application. It makes sense to me that there should be an annotation-based way of using interceptors, but this doesn't seem to exist.

My friend has the idea of actually modifying the handler class so that during each request it checks the Controller it is mapping the request to for a new annotation we would create (ex @Interceptor("loginInterceptor") ).

A major point of my thinking is the extensibility, because I'd like to later implement similar interceptors for role-based authentication and/or administration authentication.

Does it sound like my friend's approach would work for this? Or what is a proper way of going about doing this?

A: 

What about a Servlet Filter on all requests that sends the user to the login page if the user object isn't in the session? For the second part you can use security annotations on the controller methods that can check the user's role.

BrennaSoft
+1  A: 

Use Spring Security.

anger
+1  A: 

Please have a look at these sites, Spring Framework Annotation-based Controller Interceptor Configuration and Ability to restrict HandlerInterceptors to specific controller paths

Hope it will be useful.