Design question - servlets, jsps, custom tags, html

Question

Hi,

I am new to servlets and jsps. I wanted to know what the best design would be for a sample problem I am trying to write code for. Here goes -

I want to create a web site (www.example.com) that just lists the login history of every user (not any functionility any one wants but just an example for the sake of one).

So there are two URLs here - /index.jsp and /login (Lets assume all registrations are done).

The index.jsp will show all the past logins for that user. But for that I have to identify if the user is already logged in or not. If the user is already logged in I show him his history, else I have to forward him to the login page automatically.

I already wrote a custom cryptographically strong cookie that will tell me if the user is logged in or not. So if the cookie is sent to me I can verify if he is authenticated or if the cookie/session has expired or not. That is not a problem.

The design problem I have is this - How should the java class checking for authentication be called? Do I use custom jsp tags for checking this and rewriting the page? I want to make the class easy for my html developers to use when creating new pages. What is the best way to do this?

I guess my question has more to do with the correct usage of java code in jsps and/or may be custom tag libraries. Please feel free to go on as long a rant as you want to :)

Thanks for reading.

• Vas

Answer 1

You can use a Filter for this. This way you can keep the code logic at a single place without the need to unnecessarily copypaste the same code over all JSP pages and it also keeps JSP nicely scriptlet-free.

Instead of reinventing the session by creating a cookie yourself, you can also just make use of the Java EE provided HttpSession API. This is basically already backed by a cookie and you can store Java objects in the session as attributes so that they remain available the entire user session.

On login just put the User object in HttpSession:

User user = userDAO.find(username, password);
if (user != null) {
    request.getSession().setAttribute("user", user);
} else {
    // Show error.
}

To check if an user is logged in, use a Filter. Implement the doFilter() method as follows:

if (((HttpServletRequest) request).getSession().getAttribute("user") != null) {
    chain.doFilter(request, response); // User is logged in, just continue with request.
} else {
    ((HttpServletResponse) response).sendRedirect("login"); // Not logged in, redirect to login page.
}

and map it on an url-pattern like /secured, /restricted, /users or so. Put the to-be-restricted JSP pages in the same folder in webcontent as well.

To logout an user, just remove it from the session:

request.getSession().removeAttribute("user");

// Or, more drastically, invalidate the entire session:
request.getSession().invalidate();

That said, Java EE already provides declarative (xml-config based) container managed security, you can find a tutorial about it here. You can make use of it, but if you want to let your application intercept indepentently on the logins managed by the container to for example keep an overview of the login history, then you still need to create a Filter. For example:

HttpServletRequest httpRequest = (HttpServletRequest) request;
UserPrincipal user = httpRequest.getUserPrincipal();
HttpSession session = httpRequest.getSession();
if (user != null && session.getAttribute("user") == null) {
    session.setAttribute("user", user);

    // First-time login. You can do your intercepting thing here.
}
chain.doFilter(request, response);