• Post Reply Bookmark Topic Watch Topic
  • New Topic

Page restriction if not logged in  RSS feed

Rob Ko
Posts: 8
Tomcat Server
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hey :)

I have a little burning project problem >.>

First the user shall authenticate with a tan
--> if the tan is wrong: error page
--> if correct : show the form

and then a strict order --> show the form solved --> page with send form button --> page with confirmation, that the form was send

but currently you can jump over the authentication direct to the other pages

my bean is session scoped:

A quick and simple solution would be awesome.


this looks pretty interesting:
but I don't really understand what he means by:
"Subclass the `LoginFilter` as a concrete class, `MemberLoginFilter`, by implementing the `isAuth` method"

another solution could be:
worked nearly perfect, but after login and filling out the firm, you return back to the login ._.
Tim Holloway
Posts: 18662
Android Eclipse IDE Linux
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Jumping over authorizations is one of the most common forms of security exploits and is the Number 1 reason why I discourage people from creating their own security subsystems.

If you want a "simple" way to avoid this, don't write your own login or security code. Use the system that's part of the J2EE standard. It's based on URL patterns, and if a URL matches a secured pattern the server will immediately force a login and not even allow the URL to reach the web application unless they pass authentication and authorization.
Thomas Snyder
Posts: 9
Java Python Ruby
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator

I've done this using Glassfish, a Life Cycle to check for roles, and a login bean. The life cycle looks like this:

The life cycle above is ran every time someone visits a page on your site. I used this to check if the user had roles to be on the page by having a database with the username and roles table assigned to them. This process is put in the afterPhase and you'll have to write code to check your database. You don't have to use this, but it's a good check if you like to prevent people from jumping pages that have certain roles or protect certain folders. Don't use this for logging in though. Tim is right when he says use the J2EE for logging in. I think more of what you are looking for is plan old logging in. In Glassfish, all you need to do is create users within the realm, mod the web.xml to throw the user to the login page, login controller, and a login bean.


LoginController.java (This is exposed so you can use it on your pages)


In glassfish, if you want the login to be checked against the realm, make sure it matches in the web.xml where it says <realm-name>file</realm-name>.
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!