• Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

HttpServletRequest equivalent on html page

 
Kevin Kilbane
Ranch Hand
Posts: 42
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi, this question isn't directly related to servlets so apologies if it is in the wrong forum but I thought this would be the best place to get an answer.

I'm working on an application running on Tomcat where the front-end is rendered through a mixture of java servlets and static html pages. Up to now, this application hasn't implemented any kind of session management which meant a user could bypass the login page and open any page in the application once he knew the correct url. I've now implemented session management in all the servlets which means a user will be forwarded to the login page if they try to access the servlet without having logged in.

I do this by creating a session on the web server in the login servlet using this code:



and I validate it by calling some common code at the beginning of each servlet that incluses this code:



That's fine for the servlets. My question is this - is there an equivalent I can do in the static html files - do I have any access to the session or the request in the html file? If not, is there something else I can do to stop a user opening these pages without having logged in first?

Thnaks in advance.
 
Kevin Kilbane
Ranch Hand
Posts: 42
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
sorry, my code tags don't seem to have worked!
 
ramprasad madathil
Ranch Hand
Posts: 489
Eclipse IDE Java Tomcat Server
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I validate it by calling some common code at the beginning of each servlet that incluses this code:


I would recommend you do this common validation in a servlet filter. That is exactly what filters are for.

That would solve the other problem too that you have - protecting html pages. All you would have to do is to route all requests (except the one for the login servlet of course) via the filter. You would use filter mappings to achieve that. Example usage is there in the link posted above.

cheers,
ram.
 
Kevin Kilbane
Ranch Hand
Posts: 42
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
That sounds like what I'm looking for alright, thanks.

Although it would be good if I could apply the filter across the board by specifying <url-pattern>/*</url-pattern> in the filter mapping and then using another tag to exclude the login servlet from it but it doesn't look like I can do this. There is no exclude tag - is that right?
 
David O'Meara
Rancher
Posts: 13459
Android Eclipse IDE Ubuntu
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Kevin Kilbane wrote:sorry, my code tags don't seem to have worked!

Disable BB Code in this message had been checked. I'll look into it.
 
ramprasad madathil
Ranch Hand
Posts: 489
Eclipse IDE Java Tomcat Server
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Although it would be good if I could apply the filter across the board by specifying <url-pattern>/*</url-pattern> in the filter mapping and then using another tag to exclude the login servlet from it but it doesn't look like I can do this. There is no exclude tag - is that right?


Not directly out of the box, but there's one way you could do that though it would mean some custom coding in your filter.
Map your filter to /* or *.* and then add an init parameter to your filter specifying something like an exclude pattern which can be the url of your LoginServlet.
In your filter, check if the incoming url (request.getRequestURI()) matches the url specified in the init param and if it does, just allow it thorugh. Else you apply your validation check.

Does that help?

ram.
 
Tim Holloway
Saloon Keeper
Pie
Posts: 18277
56
Android Eclipse IDE Linux
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Personally, I think that cobbling together Do-it-Yourself security systems is a bad idea, and your initial problem - and the contortions you're attempting to avoid it - are among the reasons why I do:

http://www.mousetech.com/blog/?p=11

However, if you must, just put code in the filter to detect the URL of the login servlet. If it's a match, you don't execute the security code, just pope straight through to the servlet.
 
Kevin Kilbane
Ranch Hand
Posts: 42
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
got that working (using the cobbled-together approach) - thanks for your help

here's what I did just in case anyone has a similar query:

Project's web.xml :



BlahSessionFilter.java :



 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic