Win a copy of Murach's Python Programming this week in the Jython/Python forum!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic

Handling Sessions  RSS feed

 
Raj Maheshwari
Ranch Hand
Posts: 34
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi!

I want to create a very simple application that allows users to login. It should not use cookies, but use sessions.

My goal is to be able to create LoginFilter class which will be invoked before any of my restricted servlets can be displayed to the user.
If the user has already logged in with a correct username/password, then let them proceed to the requested servlet, else they can be directed to the LoginServlet which will force them to enter a username/password

So as long as they enter the correct username password and use the same browser, the user should remain logged in.

The authentication is done via some simple file where we validate the username/password.

Also if someone can let me know how to timeout a stale session and logout a user, that'd be super awesome!

Thanks
Raj
 
David O'Meara
Rancher
Posts: 13459
Android Eclipse IDE Ubuntu
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Why are you re-inventing the wheel? All of this is already a part of the J2EE spec. If you have a look at the various authentication parts, BASIC, FORM etc, they all provide the behaviour you describe.

The advantage they have by being declaritive rather than progragramatic is that additional pages pick up the security just by being placed in the right location. They don't require you to remeber to add security code to each of the pages.

It should not use cookies, but use sessions.
These aren't necessarily two different things. While it is possible to support sessions using the URL, the most common form is to write a cookie to the machine with the session id. Hence sessions use cookies.
 
Raj Maheshwari
Ranch Hand
Posts: 34
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi David

So how can I implement this?

Raj
 
David O'Meara
Rancher
Posts: 13459
Android Eclipse IDE Ubuntu
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
It is defined in the web.xml

Depending on the type of authentication you choose (I like FORM based), you define groups of secured resources eg /admin/* and then associate those groups with roles eg Admin_User.

Some of this is defined in the Tomcat HOWTO for Container Managed Security.

Dave
 
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!