Login filter issue

Hello
I want to add an auto login check, but not all pages
I read that I should create 2 folders..one for the protected pages (requires login), and another one for the rest of the pages, and then I should set the filter's url-pattern to "/securedFolderName/*"

How can I make the client to insert www.SomeDomain.com/SecuredPage.jsp instead of www.SomeDomain.com/securedFolderName/SecuredPage.jsp, and still going through the filter?

Is there any other way to do it?..maybe to move the authentication responsibility to the controller??..what is the best way?

Thanks : )

No you should not move it to the controller.

You set up the mappings, not the client, so I'm not sure what to make of your question.

By the way, you should not be directly addressing JSPs, but rather their page controllers.

Bear Bibeault wrote:No you should not move it to the controller.

You set up the mappings, not the client, so I'm not sure what to make of your question.

By the way, you should not be directly addressing JSPs, but rather their page controllers.

Lets say that I have a filter with url-pattern = "/*" --> pages like login.jsp & home.jsp will go through the filter, even though they shouldn't
If I have a filter with url-pattern = "/SecuredPages/*" --> www.DomainName.com/SomeSecuredPage.jsp won't go through the filter

Am I right?

Correct. But if you are addressing JSPs directly with URLs, you are not following best practices. Perhaps this article will help.

If your always hit a servlet (page controller), you have complete control over the mapping of the URLs.

Bear Bibeault wrote:Correct. But if you are addressing JSPs directly with URLs, you are not following best practices. Perhaps this article will help.

If your always hit a servlet (page controller), you have complete control over the mapping of the URLs.

Thanks for the article..
I've already read about the Front Controller Pattern, and I wrote "Command" interface, and I also have the controller itself..all done before the question : )
The problem is that the filter works before the controller gets the request

I want the client to request "www.SomeDomain.com/SecuredPage.jsp" or "www.SomeDomain.com/NonSecuredPage.jsp", and make the filter work only on the secured one

I'm sure there is a very small thing I miss

Like Bear said, regardless of which url is requested, route the request tot he controller first, then the controller will forward to an appropriately mapped resource and the filter should be able to execute against the correct URL based on the mapping. I am sure Bear and others can explain better than I did.

Bosun Bello wrote:Like Bear said, regardless of which url is requested, route the request tot he controller first, then the controller will forward to an appropriately mapped resource and the filter should be able to execute against the correct URL based on the mapping. I am sure Bear and others can explain better than I did.

OK so let me see if I understand your idea
I configure a filter with url-pattern="/Secured/*"
The request goes to the controller, which has some list of pages that should be (or not) authorized..lets say I have a file that has the data
The controller checks if the page is on the list, and if it does, it creates a URL that matches the filter pattern, and forward the request
If I do this (assuming I understand the idea) , I have a problem to go back to the front controller, because it will create a loop between the controller and the filter, unless the filter adds more data that says "this page was checked" or something like that..

Well, yes, you could certainly put a "checked" attribute into the request context.

However it's also possible in recent versions of the servlet spec to be able to say whether a filter applies to requests or includes or forwards separately, so you could exempt pages you forward to from this filter.

However I think the best strategy would be for the controller to forward to a JSP in a folder under the WEB-INF directory. Such a JSP wouldn't match that URL pattern so it wouldn't be processed by that filter.

Paul Clapham wrote:
However I think the best strategy would be for the controller to forward to a JSP in a folder under the WEB-INF directory. Such a JSP wouldn't match that URL pattern so it wouldn't be processed by that filter.

I'm sorry..I didn't understand the JSP responsibility in the solution, how the control goes back to the controller, and how the filter involved..
Too blurry for me : )

Thanks