I'm fairly new to Java and servlets, etc., but I need to clarify a design issue using the MVC model with JSP, Servlets and Beans.
I'm writing a user authentication system that allows a user to use a website without registering. Once registered (as one of 3 types of users), they are allowed more privileged access to certain areas.
My Current Solution
I have an abstract User class and 4 other classes for each of the users that extend the User class. These are:
Unknown is the un-authenticated user.
I've tried to implement this using 1 Controller servlet which accepts a POSTed form from a JSP page to authenticate the user. The servlet creates an instance of UserBean (a bean that deals with the creation of the appropriate user-type class), and is put into the current session.
Once logged in, the user is then redirected to a home page (by the servlet) that is relevant to the current user (eg Type2 will go to type2.jsp)
That works with no problems.
My problem is that a user who hasn't logged in can just type type2.jsp and access the page.
What I want it to do is deny the user by redirecting them to their appropriate login page (say type2-login.jsp).
I have been using PHP professionally for a while, and this was overcome by simply bunging an 'isLoggedIn and user==type2' check in code within the PHP page, but I want to ensure code and design separation, so I assume that a check in JSP is a no-no, the most logical place seems to be the Servlet that's acting as a Traffic Cop as someone put it.
But I can't see how this would work because the page can't tell the Servlet to 'kindly, check the user has logged in and is sufficiently privileged, and if not redirect him to an appropriate login page'. Or can it?
Apologies for the long post, but I'm not able to proceed unless I can get a handle on the correct way to do it.
Thanks in advance,
[ March 26, 2002: Message edited by: Andrew Kenny ]
Just put the jsps, which only should be accessed via MVC-forwarding from Controller, in the WEB-INF directory. You may create an extra folder (I use WEB-INF/jsp/.
All files under the WEB-INF can't be accessed directly.
I havent tried, but I think a 404 Error is returned (correct me if I am wrong, to late for testing), when users are trying to access those pages directly. You can then redirect all 404 errors to the login page via deployment descriptor.
[ March 26, 2002: Message edited by: Axel Janssen ]
thanks for the reply, but the solution you suggest wouldn't be acceptable. It needs to redirect the user, rather than display an error page.
Also, it's more of a design solution I'm after, as I know I'll encounter similar situations as I continue writing the application.
I'll make a note of the idea though, as I'm sure it'll come in handy
Your tag body can be some like this.
Here your tag code will have to refer a properties file to check if the current User object in the session has access to this page.
<security:accesscontrol users="com.something.Type1 com.something.Type2" />
In this case your Tag code will simply validate if the current User Object is of one of the types specified.
Hope this helps
There must be a standard way of doing this sort of thing, whether it's for authentication, or some other task.
Basically, I want to hide away the logic for the authentication in a class or a servlet so the JSP pages contain the least amount of code (or none).
Originally posted by Andrew Kenny:
whenever u r checking the users login.. that time, if the user is valid place that username in a Session.. and in each page check whether Session is null or not.. like..
Thanks and regards,
There are some libraries/frameworks which take care of access control. Jakarta Turbine is one of them (http://jakarta.apache.org/turbine). You may also want to check out JAAS (Java Authentication and Access Control Standard) from sun. There are also some papers on the net for standard ways to implement security... but I cant seem to remember where I saw them.
Then put security constraints on each directory.
Please something like this in your web.xml
<description>Type 1 users</description>
You would have a role for each user type. The roles and users are implemented using J2EE security. How this is actually achieved depends on which JSP container you're using.
When a user is registered, they are assigned to a role. Their role determines which directory they have access to. The container manages this for you. If you want to programmatically check, you can use the isUserInRole() method in the HttpServletRequest class to determine if a user is in a particualr role.
Hope this helps ...