tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Alistair Hopkins <>
Subject Re: How to setup login based security?
Date Tue, 30 May 2000 14:46:38 GMT
Why not write an abstract servlet which checks this

public abstract class SecureServlet
extends HttpServlet

where the service method checks the session before calling the normal 
service methods

HttpSession hs = request.getSession(false);
if ( hs == null )
             tell them to log in here
  } else

you can then handle URL hacks/timeouts/etc centrally, and make new secure 
servlets by extending the SecureServlet

public abstract class WhicheverServlet
extends SecureServlet

i'm doing something like this, but also managing DenialofService 
prevention, db connection pools, etc from the abstract servlet.

Also means that as there is no chaining, etc, etc, then it will work as is 
on any servlet engine and won't fall foul of changing specs.

At 04:10 PM 5/30/00 +0200, you wrote:
>my webapplication starts with a form based user login. A database lookup is
>made to check if there is a user account. When the login is successfull an
>user object is inserted in the current session data. All other servlets of my
>webapp should check if these user object exists and if not redirect the
>request to the login form.
>My idea is to implement a check servlet (or a simple class) which
>checks every request to my webapp before the requested servlet is called.
>Is this possible with tomcat or is there any other way to secure my webapp.
>         Christoph
>| Dipl.-Inf. Christoph Kulla               |
>| Met@box AG                                 |
>| Daimlerring 37                                                            |
>| 31135 Hildesheim                                  Phone: +49-5121-7533-0  |
>| Germany                                             Fax: +49-5121-7533-78 |
>To unsubscribe, email:
>For additional commmands, email:

View raw message