tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Merrill Cornish <>
Subject Re: restricting access to jsp pages
Date Thu, 15 Jan 2004 15:36:53 GMT
I'm confused.

>>> I don't want the user to have to log in, ...  
>>> I can't find in the docs how Tomcat knows whether the user has logged in yet,

Question:  Do you want your users to log in or not--nevermind who does it?

>>> I want to have my "guard" servlet authenticate the user 

How is that different from log in?  Regardless of what you call it or whether it's done by
a JSP page or a servlet, the user is going to have to identify himself to the guard servlet--and
that's logbin, even if the phrase "log in" is never shown to the user.

In my own application, each of the JSP pages that needs the user to be logged in before coming
to the page start with this:

  if (Util.verifyLogin(session, response)) {
     // then we are logged in
     ... // other Java code needed for the page initialization

... <!-- the JSP page itself -->

<% }//then logged in %>

If Util.verifyLogin() determine--in whatever manner--that the user is not yet logged in, it
redirected to the login page (or whatever you are using to determine who the user is) and
returns false.  It it returns false, the rest of the JSP page is skipped, since the loggin
page is being displayed.

In my case, Util.verifyLogin() determines that the user is logged in by checking that session
is not null and that a certain session attribute set by the login servlet is not null.  

In servlets, the test is

  if (Util.verifyLogin(session, response)) { return; }


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message