Create a session after login

Hi,
How can i create a session when i loged in and how can i invalid it when i logout?
Thank you in advance

It would be very difficult to NOT have a session and be logged in. Without an HttpSession attached to the user, the only requests you can make are stateless ones, because the login state is pretty much constrained to be part of the session.

In any event, if you use the J2EE standard container, it should create a session when you login if you didn't already have one. But that's not really important. At any time, if you invoke the getSession(true) method, the current session will be returned to you. And if there was no current session, it will create one and return it.

To logout, the traditional method has been to invoke the session object's invalidate() method. In JEE, however, there's now also an explicit logout() method.

Only i should use this statement :
HttpSession session = request.getSession(true);
without setAttribute ?

Well, you cannot set a session attribute until you have a session object to hold the session attribute collection!

If i use setAttribute in my login servlet, what shoul i put in my logout servlet

Sarra Sakka wrote:If i use setAttribute in my login servlet, what shoul i put in my logout servlet

You can do it 2 ways:

Clear the entire session
HttpSession session = request.getSession(); session.invalidate();// this will clear all attributes in the session

or

Clear certain session variables
HttpSession session = request.getSession(); session.set("Variable_1", null); session.set("Variable_2", null);

It depends what you are defining as "logout" for your application. You may want to clear a specific user out of the session and keep other session variables around for whatever reason. If you want to totally clear the entire session then invalidate it.

If i use a filter, how can i do it?

Sarra Sakka wrote:If i use setAttribute in my login servlet, what shoul i put in my logout servlet

Your entry point needs to be outside of your filter. (meaning not in the confines of the filter)

Here is a simple login filter I use to check if the user is logged in and in the session within the defined url pattern. (using the tomcat container)

This will give you the basic path and flow of how to implement it, however there are other frameworks and logic within that code that you would have to implement yourself for your specific application.

Filter descriptor

<filter> <filter-name>AdminFilter</filter-name> <filter-class>com.AdminLoginFilter</filter-class> <description>Admin Login Filter</description> <init-param> <param-name>Admin_login_form</param-name> <param-value>/administration/login</param-value> </init-param> </filter> <filter-mapping> <filter-name>AdminFilter</filter-name> <url-pattern>/administration/controlpanel/*</url-pattern> </filter-mapping>

Servlet Filter
public class AdminLoginFilter implements Filter { private FilterConfig filterConfig; private String loginForm; public void init(FilterConfig filterConfig) throws ServletException { this.filterConfig = filterConfig; loginForm = this.filterConfig.getInitParameter("Admin_login_form"); } public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { HttpServletRequest httpRequest = (HttpServletRequest) request; HttpSession session = httpRequest.getSession(); ControlPanelUser adminUser = (ControlPanelUser) session.getAttribute(PageConstants.CONTROL_PANEL_USER); if ((adminUser == null || adminUser.getBoId() < 1)) { //Send user to login form filterConfig.getServletContext().getRequestDispatcher(loginForm).forward(request, response); } else {// Send user to requested page chain.doFilter(request,response); } } public void destroy() { this.filterConfig = null; } }

Credential check

public class CheckUserCredentialsCommand implements Command { public void execute(CommandContext commandContext) throws Exception { ILoginForm loginForm = new LoginForm(); loginForm.populateFromForm(commandContext); List<ValidationMessage> messages = loginForm.validate(); if(messages != null && messages.size() > 0){ commandContext.setScopedVariable(PageConstants.LOGIN_MESSAGES, messages, ScopedContext.REQUEST); } else { ControlPanelUser customer = ControlPanelUserDAO.selectControlPanelUser(loginForm.getEmailAddress(), loginForm.getPasswrd()); if(customer != null){ commandContext.setScopedVariable(PageConstants.CONTROL_PANEL_USER, customer, ScopedContext.SESSION); } else { commandContext.setScopedVariable(PageConstants.LOGIN_MESSAGES, messages, ScopedContext.REQUEST); } } String referer = commandContext.getRequest().getHeader("referer"); if(referer != null){ referer = referer.substring(referer.lastIndexOf("/") + 1, referer.length()); if("login".equals(referer)){ commandContext.redirect(commandContext.getServletContext().getContextPath()+"/administration/controlpanel/dashboard"); } else { commandContext.redirect(commandContext.getRequest().getHeader("referer")); } } else { commandContext.redirect(commandContext.getServletContext().getContextPath()+"/administration/controlpanel/dashboard"); } } }

My login entry is http://www.mysite.com/administration/login, when i login on that page it submits to the CheckUserCredentialsCommand which is just a simple servlet. That servlet then tries to do a page redirect to one of the pages that is behind the filter. In the filter it checks the user, if the user is null it forwards back to the login page, if there is a valid user it goes through the filter chain which was your redirect from the CheckUserCredentialsCommand and now your url looks like http://www.mysite.com/administration/controlpanel/dashboard, dashboard page being behind the filter, if there was no user you would never be able to get to that page.

Your logout would then just be another servlet that invalidates the session and redirects the user back to the login page.

Thank you for your reply, but i don't understand you very well.
here's the filter code :
package com.pack.classes; import java.io.IOException; import javax.servlet.Filter; import javax.servlet.FilterChain; import javax.servlet.FilterConfig; import javax.servlet.ServletException; import javax.servlet.ServletRequest; import javax.servlet.ServletResponse; import javax.servlet.annotation.WebFilter; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import javax.servlet.http.HttpSession; /** * Servlet Filter implementation class AuthorizationFilter */ @WebFilter("/AuthorizationFilter") public class AuthorizationFilter implements Filter { /** * Default constructor. */ public AuthorizationFilter() { // TODO Auto-generated constructor stub } /** * @see Filter#destroy() */ public void destroy() { // TODO Auto-generated method stub } /** * @see Filter#doFilter(ServletRequest, ServletResponse, FilterChain) */ public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws IOException, ServletException { // TODO Auto-generated method stub // place your code here HttpServletRequest request = (HttpServletRequest) req; HttpServletResponse response = (HttpServletResponse) res; HttpSession session = request.getSession(); String userName = (String) session.getAttribute("user"); if (userName == null) response.sendRedirect("authentication.jsp"); // pass the request along the filter chain chain.doFilter(request, response); } /** * @see Filter#init(FilterConfig) */ public void init(FilterConfig fConfig) throws ServletException { // TODO Auto-generated method stub } }
Filter descriptor in web.xml:
<filter> <filter-name>AuthorizationFilter</filter-name> <filter-class>com.pack.classes.AuthorizationFilter</filter-class> </filter> <filter-mapping> <filter-name>AuthorizationFilter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping>
the authentication jsp page :
<%@ page language="java" contentType="text/html; charset=ISO-8859-1" pageEncoding="ISO-8859-1"%> <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> <title>authentication</title> <link type="text/css" rel="stylesheet" href="inc/style.css" /> </head> <body> <div> <form method="post" action="authentication"> <label for="name">Name :</label><input type="text" id="name" name="id"/><br /> <label for="password">Password :</label><input type="password" id="password" name="pass"/><br /> <input type="submit" value="Confirm" /> <input type="reset" value="reset" /> <br /> </form> </div> </body> </html>
and here's the servlet of authentication :
protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { // TODO Auto-generated method stub /* Connexion � la base de donn�es */ int value = 0; String id = request.getParameter("id").trim(); String password = request.getParameter("pass"); try { Class.forName("org.postgresql.Driver"); System.out.println("Driver O.K."); String url = "jdbc:postgresql://localhost:5432/Login"; String user = "postgres"; String passwd = "DataBase"; Connection connexion = DriverManager.getConnection(url, user, passwd); System.out.println("Connexion effective !"); /* Cr�ation de l'objet g�rant les requ�tes */ Statement statement = connexion.createStatement(); /* Ici, nous placerons nos requ�tes vers la BDD */ /* Ex�cution d'une requ�te de lecture */ ResultSet resultat = statement.executeQuery( "SELECT user_id,user_password,user_role from users "); while ( resultat.next() ) { String iddb = resultat.getString( "user_id" ); String passdb = resultat.getString( "user_password" ); String roledb = resultat.getString( "user_role" ); /* Traiter ici les valeurs r�cup�r�es. */ if ((id.equals(iddb))&&(password.equals(passdb))) //there's the same id in data base, so we should check the role { if(roledb.equals("admin"))//if the role is admin we should verify the password { //response.sendRedirect("home.jsp"); //return; //RequestDispatcher send= request.getRequestDispatcher("/home.jsp"); // send.forward(request, response); value=1; System.out.println("admin"); break; } else if (roledb.equals("employee")) { //response.sendRedirect("login_ban.jsp"); //return; value =2; System.out.println("employee"); break; } } else //check your data : id_user not found in database { //response.sendRedirect("login_failure.jsp"); //return; value = 3 ; System.out.println("nothing"); } } resultat.close(); connexion.close(); } catch ( SQLException e ) { /* G�rer les �ventuelles erreurs ici */ } catch (ClassNotFoundException e) { // TODO Auto-generated catch block e.printStackTrace(); } if(value == 1) { RequestDispatcher send= request.getRequestDispatcher("/home.jsp"); send.forward(request, response); HttpSession session = request.getSession(true); session.setAttribute("user", id); } if(value == 2) { RequestDispatcher send= request.getRequestDispatcher("/login_ban.jsp"); send.forward(request, response); } if (value == 3) { RequestDispatcher send= request.getRequestDispatcher("/login_failure.jsp"); send.forward(request, response); } }
here's the home.jsp :
<%@ page language="java" contentType="text/html; charset=ISO-8859-1" pageEncoding="ISO-8859-1"%> <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> <title>Insert title here</title> </head> <body> hello world <div> <form method="post" action="logout"> <input type="submit" value="Logout" /> </form> </div> </body> </html>
and the Logout servlet:
protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { // TODO Auto-generated method stub HttpSession session = request.getSession(); System.out.println("User="+session.getAttribute("user")); session.removeAttribute("user"); System.out.println("User="+session.getAttribute("user")); if(session.getAttribute("user") == null) { session.invalidate(); } /* if(session != null) try{ request.getSession().setAttribute("user", null); session.invalidate(); }catch(Exception e) { e.getMessage(); } */ response.sendRedirect("authentication.jsp"); }
what should i change in my code to make it work?
thank you in advance

I would need more information. With your current code what exactly is NOT working? You seem to have the format correct.

First thing i see is that your filter is filtering every request by defining the following url pattern:

<url-pattern>/*</url-pattern>

you would need at least 2 url patterns defined:

http://www.mysite.com/administration/login // this url should not pass through the filter code, anybody should be able to view this page

http://www.mysite.com/administration/controlpanel/dashboard //this url is behind the filter (you would define a pattern as so)
<url-pattern>/administration/controlpanel/*</url-pattern>

This way anybody that tries to view pages behind /administration/controlpanel/* has to pass through your filter and in there you evaluate if the user is authenticated or not or if the user even exists.

when i put a valid username and password the user logged in to home.jsp.
in home.jsp when i click logout, the authentication.jsp page displayed.
My problem is when i click in "back button " the home.jsp display or should not be displayed, did you understand me .
I change something in web. xml as the followings :
<filter-mapping> <filter-name>AuthorizationFilter</filter-name> <url-pattern>/jsp/*</url-pattern> </filter-mapping>

Ill try to explain the url mapping a bit better.

I have 2 servlet url patterns defined in addition to my filter url pattern. You want to make sure your entry point is OUTSIDE of your filter, this way if the is no valid user the pages behind the filter will not be displayed.

<filter-mapping> <filter-name>AdminFilter</filter-name> <url-pattern>/administration/controlpanel/*</url-pattern> </filter-mapping>

Servlet outside of filter (my login page)
<servlet-mapping> <servlet-name>AdminLoginCommandBroker</servlet-name> <url-pattern>/administration/*</url-pattern> </servlet-mapping>

Servlet inside my filter ( url pattern matches the filters url pattern)
<servlet-mapping> <servlet-name>AdminCommandBroker</servlet-name> <url-pattern>/administration/controlpanel/*</url-pattern> </servlet-mapping>

You also may be seeing a stale page so when you logout you also want to clear the page cache, so technically when you hit back after logout it should direct you to the login page.

Example:

public class LogoutAdminUserCommand implements Command { public void execute(CommandContext commandContext) throws Exception { commandContext.getResponse().setHeader("Cache-Control", "private,no-store,no-cache"); commandContext.getResponse().setDateHeader("Expires", 0); //Causes the proxy cache to see the page as "stale" commandContext.getResponse().setHeader("Pragma","no-cache"); //HTTP 1.0 backward compatibility commandContext.getSession().removeAttribute(PageConstants.SITE_CUSTOMER); commandContext.getSession().invalidate(); commandContext.redirect(commandContext.getRequest().getContextPath() + "/administration/controlpanel/dashboard"); } }

In place of my commandContext you would use HttpServletRequest request

so request.getResponse().setHeader(); ect.

I put the Example in the Logout servlet ??
here's the new configuration in web.xml as the followings:
<filter> <filter-name>AuthorizationFilter</filter-name> <filter-class>com.pack.classes.AuthorizationFilter</filter-class> </filter> <filter-mapping> <filter-name>AuthorizationFilter</filter-name> <url-pattern>/test/*</url-pattern> </filter-mapping>
Which i create a folder test,contains the jsp page put it inside filter.

Always the button back display the home page
here's the filter :
public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws IOException, ServletException { // TODO Auto-generated method stub // place your code here HttpServletRequest request = (HttpServletRequest) req; HttpServletResponse response = (HttpServletResponse) res; HttpSession session = request.getSession(false); System.out.println("**************DOING THE FILTER*************"); if(session.getAttribute("user")==null) { //Redirect user to login page response.sendRedirect("authentication.jsp"); } response.setHeader("Cache-Control","no-cache"); response.setHeader("Pragma","no-cache"); response.setDateHeader ("Expires", -1); chain.doFilter(req, res); }
what's the problem according to you ?
I'm stuck

That looks like a pretty reasonable filter. The other half, of course, is for the authentication process to create a session attribute named "user" after a successful login. Does your code do that?

Sarra Sakka wrote:Always the button back display the home page
here's the filter :
public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws IOException, ServletException { // TODO Auto-generated method stub // place your code here HttpServletRequest request = (HttpServletRequest) req; HttpServletResponse response = (HttpServletResponse) res; HttpSession session = request.getSession(false); System.out.println("**************DOING THE FILTER*************"); if(session.getAttribute("user")==null) { //Redirect user to login page response.sendRedirect("authentication.jsp"); } response.setHeader("Cache-Control","no-cache"); response.setHeader("Pragma","no-cache"); response.setDateHeader ("Expires", -1); chain.doFilter(req, res); }
what's the problem according to you ?
I'm stuck

You don't want to set the no-cache in the filter itself, you want to set it in the logout servlet. This way when you invalidate the session and expire the page, when you hit the back button it will send in another request which will passthrough your filter and the filter will validate the user and user == null at this point. Then It redirects to the login page because the user is null. You should never see the home page if you are in this state after logout.

Your logout servlet should look like:

There is also no need to check if the user is null at this point as you are invalidating the entire session at this point

import java.io.IOException; import javax.servlet.ServletException; import javax.servlet.http.HttpServlet; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import javax.servlet.http.HttpSession; public class Logout extends HttpServlet { protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { HttpSession session = request.getSession(); System.out.println("User="+session.getAttribute("user")); session.removeAttribute("user"); System.out.println("User="+session.getAttribute("user")); response.setHeader("Cache-Control", "private,no-store,no-cache"); response.setDateHeader("Expires", 0); //Causes the proxy cache to see the page as "stale" response.setHeader("Pragma","no-cache"); //HTTP 1.0 backward compatibility request.getSession().removeAttribute("user"); request.getSession().invalidate(); response.sendRedirect("authentication.jsp"); } }

Also you should probably redirect to another servlet instead of directly to a jsp page and in the servlet you would just page forward to the jsp.

In addition there is some bad logic and coding practice in your authentication servlet. I can go mre complex but here is you servlet refactored, please see comments:

public class UserLoginCheck { protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { /* Connexion � la base de donn�es */ int value = 0; String id = request.getParameter("id").trim(); String password = request.getParameter("pass"); PreparedStatement ps = null; ResultSet rs = null; Connection connexion = null; try { Class.forName("org.postgresql.Driver"); System.out.println("Driver O.K."); String url = "jdbc:postgresql://localhost:5432/Login"; String user = "postgres"; String passwd = "DataBase"; connexion = DriverManager.getConnection(url, user, passwd); System.out.println("Connexion effective !"); //USE A WHERE CLAUSE FOR THE QUERY, WHAT IF YOU HAVE 1000'S OF USERS WHY BRING THE ALL BACK. THERE SHOULD ONLY BE //ONE USER WITH THAT USER ID AND PASSWORD, IF THERE IS MORE YOUR DESIGN IS WRONG. ALSO USE PREPARED STATEMENTS TO //PREVENT SQL INJECTION ATTACKS. ps = connexion.prepareStatement("SELECT user_id, user_password, user_role from users WHERE USER_ID = ? AND USER_PASSWORD = ?"); ps.setString(1, id); ps.setString(2, password); rs = ps.executeQuery(); //ONLY ONE RESULT EXPECTED SIMPLIFIED LOGIC if(rs.next()){ if("admin".equals(rs.getString("user_role"))){ HttpSession session = request.getSession(true); session.setAttribute("user", id); RequestDispatcher send= request.getRequestDispatcher("/home.jsp"); send.forward(request, response); } else if("employee".equals(rs.getString("user_role"))){ RequestDispatcher send= request.getRequestDispatcher("/login_ban.jsp"); send.forward(request, response); } } else { //user not found RequestDispatcher send= request.getRequestDispatcher("/login_failure.jsp"); send.forward(request, response); } } catch ( SQLException e ) { e.printStackTrace(); } catch (ClassNotFoundException e) { e.printStackTrace(); } finally { // USE FINALLY BLOCK WHEN CLOSING CONNNECTIONS TO ASSURE THEY ARE CLOSED. try { ps.close(); } catch (SQLException e) { e.printStackTrace(); } try { rs.close(); } catch (SQLException e) { e.printStackTrace(); } try { connexion.close(); } catch (SQLException e) { e.printStackTrace(); } } } }

Paul Clapham wrote:Does your code do that?

Yes, i think that

John Schretz wrote:In addition there is some bad logic and coding practice in your authentication servlet. I can go mre complex but here is you servlet refactored, please see comments:

I change my authentication servlet like as you say, also my Logout servlet, but always the same problem occurred ?
here's the filter :
public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws IOException, ServletException { // TODO Auto-generated method stub // place your code here HttpServletResponse hsr = (HttpServletResponse) res; hsr.setHeader("Cache-Control", "no-cache, no-store, must-revalidate"); // HTTP 1.1. hsr.setHeader("Pragma", "no-cache"); // HTTP 1.0. hsr.setDateHeader("Expires", 0); // Proxies. chain.doFilter(req, res); }

here's the new filter :
HttpServletRequest request = (HttpServletRequest) req; HttpServletResponse response = (HttpServletResponse) res; /* Récupération de la session depuis la requête */ HttpSession session = request.getSession(); /** * Si l'objet utilisateur n'existe pas dans la session en cours, alors * l'utilisateur n'est pas connecté. */ if ( session.getAttribute( "user" ) == null ) { /* Redirection vers la page publique */ response.sendRedirect( request.getContextPath() + "/authentication.jsp" ); } else { /* Affichage de la page restreinte */ chain.doFilter( request, response ); }
Should i implement the init() method ??

I need your help please

Sarra Sakka wrote:

John Schretz wrote:In addition there is some bad logic and coding practice in your authentication servlet. I can go mre complex but here is you servlet refactored, please see comments:

I change my authentication servlet like as you say, also my Logout servlet, but always the same problem occurred ?
here's the filter :
public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws IOException, ServletException { // TODO Auto-generated method stub // place your code here HttpServletResponse hsr = (HttpServletResponse) res; hsr.setHeader("Cache-Control", "no-cache, no-store, must-revalidate"); // HTTP 1.1. hsr.setHeader("Pragma", "no-cache"); // HTTP 1.0. hsr.setDateHeader("Expires", 0); // Proxies. chain.doFilter(req, res); }

Why is the logout servlet a filter? I posted what the logout servlet should look like, its just a simple servlet, not a filter. You only need the filter for checking the valid user.
Here is the logout servlet again:

import java.io.IOException; import javax.servlet.ServletException; import javax.servlet.http.HttpServlet; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import javax.servlet.http.HttpSession; public class Logout extends HttpServlet { protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { HttpSession session = request.getSession(); System.out.println("User="+session.getAttribute("user")); session.removeAttribute("user"); System.out.println("User="+session.getAttribute("user")); response.setHeader("Cache-Control", "private,no-store,no-cache"); response.setDateHeader("Expires", 0); //Causes the proxy cache to see the page as "stale" response.setHeader("Pragma","no-cache"); //HTTP 1.0 backward compatibility request.getSession().removeAttribute("user"); request.getSession().invalidate(); response.sendRedirect("authentication.jsp"); } }

thank you for your reply,

John Schretz wrote: You only need the filter for checking the valid user.

do you mean only like this :
public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws IOException, ServletException { // TODO Auto-generated method stub // place your code here /* Cast des objets request et response */ /* Cast the request and response objects */ HttpServletRequest request = (HttpServletRequest) req; HttpServletResponse response = (HttpServletResponse) res; /* Récupération de la session depuis la requête */ HttpSession session = request.getSession(false); /** * Si l'objet utilisateur n'existe pas dans la session en cours, alors * l'utilisateur n'est pas connecté. */ if ( session.getAttribute("user") == null || session == null ) { /* Redirection vers la page publique */ response.sendRedirect("/authentication.jsp" ); } else { /* Affichage de la page restreinte */ chain.doFilter( request, response ); } }
and this is a configuration in the web.xml is correct ?:
<filter> <filter-name>AuthorizationFilter</filter-name> <filter-class>com.pack.classes.AuthorizationFilter</filter-class> </filter> <filter-mapping> <filter-name>AuthorizationFilter</filter-name> <url-pattern>/test/*</url-pattern> </filter-mapping>

Sarra Sakka wrote:thank you for your reply,

John Schretz wrote: You only need the filter for checking the valid user.

do you mean only like this :
public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws IOException, ServletException { // TODO Auto-generated method stub // place your code here /* Cast des objets request et response */ /* Cast the request and response objects */ HttpServletRequest request = (HttpServletRequest) req; HttpServletResponse response = (HttpServletResponse) res; /* Récupération de la session depuis la requête */ HttpSession session = request.getSession(false); /** * Si l'objet utilisateur n'existe pas dans la session en cours, alors * l'utilisateur n'est pas connecté. */ if ( session.getAttribute("user") == null || session == null ) { /* Redirection vers la page publique */ response.sendRedirect("/authentication.jsp" ); } else { /* Affichage de la page restreinte */ chain.doFilter( request, response ); } }

Yes, all you need to do is ask the filter if the user is valid. If yes chain.doFilter, if no redirect to the login page. Very simple.

Until now, the same problem
really i'm stuck :'(

Try this, set the filter up exactly like so and instead of doing a redirect we do a page forward.

public class FilterExample implements Filter { private FilterConfig filterConfig; public void init(FilterConfig filterConfig) throws ServletException { this.filterConfig = filterConfig; } public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws IOException, ServletException { // TODO Auto-generated method stub // place your code here HttpServletRequest httpRequest = (HttpServletRequest) req; HttpSession session = httpRequest.getSession(); System.out.println("**************DOING THE FILTER*************"); if (session.getAttribute("user") == null) { //Send user to login form filterConfig.getServletContext().getRequestDispatcher("authentication.jsp").forward(req, res); } else {// Send user to requested page chain.doFilter(req,res); } } }

The same problem
when i click a back button it display a home.jsp

Sarra Sakka wrote:The same problem
when i click a back button it display a home.jsp

after you click back and it displays the home page, what happens if you then refresh the page? Does it go to the login page then?

John Schretz wrote:
after you click back and it displays the home page, what happens if you then refresh the page? Does it go to the login page then?

No, it don't go to the login page and remains in the same page home.jsp

Sarra Sakka wrote:

John Schretz wrote:
after you click back and it displays the home page, what happens if you then refresh the page? Does it go to the login page then?

No, it don't go to the login page and remains in the same page home.jsp

if you put a breakpoint in the filter when you refresh the page at that point does it hit the breakpoint?

John Schretz wrote:
if you put a breakpoint in the filter when you refresh the page at that point does it hit the breakpoint?

No, when i refresh the page it doesn't hit the breakpoint, that's mean there's a problem in the filter?

Sarra Sakka wrote:

John Schretz wrote:
if you put a breakpoint in the filter when you refresh the page at that point does it hit the breakpoint?

No, when i refresh the page it doesn't hit the breakpoint, that's mean there's a problem in the filter?

sounds like the filter url mappings are incorrect. The request is not passing through the filter. Do you ever hit a breakpoint in the filter? Like when you login?

John Schretz wrote: Do you ever hit a breakpoint in the filter? Like when you login?

yes, also when i login

Based on your filter mapping your url's should look like

www.mysite.com/authentication.jsp (LOGIN)

www.mysite.com/test/home.jsp (home page)

notice that the home page url mapping goes through test as you had mapped that in your filter


<filter> <filter-name>AuthorizationFilter</filter-name> <filter-class>com.pack.classes.AuthorizationFilter</filter-class> </filter> <filter-mapping> <filter-name>AuthorizationFilter</filter-name> <url-pattern>/test/*</url-pattern> </filter-mapping>

can you post you entire web.xml

here's the web.xml:
<servlet> <servlet-name>Authentication</servlet-name> <servlet-class>com.pack.servlet.Authentication</servlet-class> </servlet> <servlet-mapping> <servlet-name>Authentication</servlet-name> <url-pattern>/authentication</url-pattern> </servlet-mapping> <servlet> <servlet-name>Logout</servlet-name> <servlet-class>com.pack.servlet.Logout</servlet-class> </servlet> <servlet-mapping> <servlet-name>Logout</servlet-name> <url-pattern>/logout</url-pattern> </servlet-mapping> <welcome-file-list> <welcome-file>authentication.jsp</welcome-file> </welcome-file-list> <filter> <filter-name>AuthorizationFilter</filter-name> <filter-class>com.pack.classes.AuthorizationFilter</filter-class> </filter> <filter-mapping> <filter-name>AuthorizationFilter</filter-name> <url-pattern>/test/*</url-pattern> </filter-mapping> </web-app>

looks like you are mixing between jsp pages and servlets. All of your entry points should be a servlet, the jsp is your "view". So all the jsp pages should have an associated servlet. i.e. if you have a home.jsp file then you should have a Home Servlet.
and at minimum it will call the servlet and the servlet will server the jsp page

Example:

public class Home extends HttpServlet { protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { RequestDispatcher send= request.getRequestDispatcher("/home.jsp"); send.forward(request, response); } } XML ENTRY <servlet> <servlet-name>Home</servlet-name> <servlet-class>com.pack.servlet.Home</servlet-class> </servlet> <servlet-mapping> <servlet-name>Home</servlet-name> <url-pattern>/test/home</url-pattern> //this tells you it will pass through the filter because it is in /test </servlet-mapping> <servlet> URL: www.mysite.com/test/home

So in places where you would forward or redirect you would use url pattern you mapped in for that servlet

i.e.

getRequestDispatcher("test/home").forward(req, res);

So fixing that up and following that pattern will get you in better shape in general.
Then for every servlet you create that you want behind that filter should all have the url pattern <url-pattern>/test/**YOUR SERVLET HERE**</url-pattern>
because that is what you defined the filter for.

***The only servlet that does NOT have that pattern is the login servlet because it needs to be OUTSIDE of /test/*
So an example would be:

<servlet> <servlet-name>Login</servlet-name> <servlet-class>com.pack.servlet.Login</servlet-class> </servlet> <servlet-mapping> <servlet-name>Login</servlet-name> <url-pattern>/login</url-pattern> //outside of /test </servlet-mapping> <servlet>

John Schretz wrote:
So in places where you would forward or redirect you would use url pattern you mapped in for that servlet

i.e.

view plainprint?
Note: Text content in the code blocks is automatically word-wrapped
getRequestDispatcher("test/home").forward(req, res);

when i log in the home page didn't display

Sarra Sakka wrote:

John Schretz wrote:
So in places where you would forward or redirect you would use url pattern you mapped in for that servlet

i.e.

view plainprint?
Note: Text content in the code blocks is automatically word-wrapped
getRequestDispatcher("test/home").forward(req, res);

when i log in the home page didn't display

Did you create a home servlet and map the url to /test/home?

yes, i have created a servlet Home with url /test/home

Without a filter, how can i create a session when i loged in and how can i invalidate it when i loged out ?
thank you for you effort