tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Antony Bowesman <>
Subject Re: Programmatic security with servlet mappings in tomcat
Date Tue, 03 Jul 2001 08:31:37 GMT

pete wrote:
> Tim,
> there are several ways to implement this kind of security check. If you
> want a fullblown MVC model, you might consider looking at Struts or one
> of the other Apache-driven frameworks (Struts is the only one i have
> personal experience with).
> with the example you give, i don't understand the need for a
> 'controller' jsp in this context.
> The way i handle security in one of my apps is that i have a method in a
> session-bean (public void isAuthenticated()) that checks the user has a
> valid login, so all my jsps (except login.jsp) are wrapped in a
> statement like
> <jsp:useBean id="Authentication" scope="session"
> class="com.mycompany.authentication"></jsp:useBean>
> <%if (Authentication.isAuthenticated())
> {%>
> .... rest of JSP goes here
> <%}
> else
> {
> response.sendRedirect("./login.jsp");
> }
> %>
> If a valid session key is already assigned, the method returns true. If
> username and password are supplied in request scope, isAuthenticated
> does a lookup to our authentication database, and if successful, sets a
> valid session key, and returns true.
> If neither of these are true, isAuthenticated sets a 'you are not
> authenticated' message to be displayed by login.jsp,  returns false, and
> the user is redirected back to login.jsp

Interesting that you don't use the container's authentication mechanism
to protect pages.  What if someone writes an app that doesn't protect
the page.  Any reason why you chose this route?


View raw message