I have a customer who has an existing web application. This application is freely accessible. Now, he wants to commercialize the application.
The way to do this is by adding a system with subscriptions, so that a user has to log in to view the application. So far, no problem.
The problem comes in the fact that the existing web application was not developed by me, but by others. My client doesn't want to change the code in the existing application, he wants me, if possible, to create a new small web application around the existing one that handles session control.
This means that everytime a page of the existing application is accessed, a check needs to be performed by the new small application to see whether the user has allready a session, or not. If not, the user needs to login.
I have talked to someone who has done someting similiar, but that was in .net. It seems that on microsoft iis it is possible to configure that everytime a page of an application is accessed, a code snippet is automatcly run. This way the session check is performed.
The existing web application runs on tomcat webserver.
Can it be done? If so, how?
Thanks in advance,
Filters can intercept request going to or coming from any resource on your server (servlets, JSPs, static resources).
What gets intercepted is determined by URL mappings that you set in the deployment descriptor.
I have an example app that does this (and a bit more) on my site:
Look for SessionMonitor.
Depending on your clients needs, you may also be able to do this with declarative security right from your deployment descriptor.
Take a look at SRV.12.8 in the ServletSpec (link in my signature).
You may find that the container already has all the security that you need.
But, now I have another problem. If a user is not logged, I want to forward to
a url that is not within the application (for example google.com).
How do I do that?
Which were you trying?
I'm not sure how to do this with declarative security but here's how I usually do it (programmatic):
Upon a successful login, bind an object to session (call it userBean).
Then use a filter to intercept every request.
In the filter, check for the existence of the userBean.
If it's there (not null) let the request go through.
If not, forward the user to the login screen.
This is what I do in that example app mentioned earlier.
[ December 02, 2005: Message edited by: Ben Souther ]
I have read about a way of sharing the session, but I still have to try that.
But, here comes the question I asked above.
Since the login screen is in a different application from the filter class, how can I forward from the filterclass to the login screen. If you forward you use a mapping, but is it possible to use a absolute url to forward to.
This example will clarify
Url from application where filter class resides
URL of the login screen
So can I forward from the filterclass in "http://testserver/archiveapplication" to the login screen in the other application. So forward to "http://testserver/loginapplication/welcome.do".
Hope this makes it a bit clearer,
If you could help me with this, I would be very gratefull,
you would make your changes in such a way that you neednt touch the existing code in any fashion. In other words, you add some more new control logic.
The control logic would be in the form of filters.
One functionality that a filter (look at http://java.sun.com/products/servlet/Filters.html for a crash course) does is to block requests based on a user identity.
So all requests to the existing web application would first be assigned to this filter (which would eseentially do the same task as the script your friend talked about in .NET). The filter would block the request and when it finds no valid session associated with that request would redirect the request to your web application which would perform whatever is required.
Now comes the next part, which is an even tougher nut to crack - in java sessions are not sharable across web applications. In short when you associate an user to a session in one web application, there's no way for the other web application can access or share this data.
1. In tomcat, one context can be accessed from another by defining the two contexts to be 'sharable' in 'context.xml - I tried this once long back and the results were quite unpredictable.
The api support is the getContext(String otherContext) method of the context object.
2. Hold this info in a mutually sharable db/file/serialized object.
You will notice from the above, that you will have to call a redirect api rather than forward to the other application.
And after that, comes the question of how you are going to solve the session sharing problem, which may be the most difficult of all.
At the moment there is no spec compliant way to share sessions across contexts. The container you're using may have additional functionality to do this.
You would need to check with your server's documentation.
Here are some links
For sharing the session I wil use this solution
I use the part of getting the session id, but I hold my user information in a database with the session id as primary (unique) key.
For session invalidation I will create job that will check in the database if a session should be invalidated.
What do you think?
Originally posted by Thierry Collogne:
What do you think?
It sounds like a lot of work; probably a lot more than working a filter into the existing app.
Valves are also Tomcat specific so the solution won't be portable.
Other than those issues, it looks good on paper.
Give it a shot and let us know how it worked out for you.