I've been assigned the task of writing a web-app to administer the users of another system. The user data to be controlled/configured is in a database. For different instances of the system, different servlet containers will be used (Tomcat and Weblogic mainly).
To provide authentication, I need to look up details in the database, but as the different instances will have different containers (and database types - mainly MS-SQL and Oracle), I don't see how I can use declarative security (i.e. that which is in the web.xml and users.xml files).
Consequently, I have been looking at programmatic security.
What I would like is that if anyone tries to look at a JSP page or access a servlet in the web-application, then their session is checked. If they have not been authenticated and authorised, they are forwarded to a Login page. Otherwise, they can access the resource as they want.
I had done this by subclassing HttpServlet, and overriding the Service() method to perform authentication and authorisation. Then either the request is forwarded to a login page, or I call super.service ( req, res ) to process the request as normal.
However, this won't work with JSP pages, as they don't have any doXXX functions, which are called by the HttpServlet service() method. If I create a JSP page that subclasses my authenticating class (the subclass of HttpServlet), then the service method of the JSP calls doXXX rather than _jsp_service().
I imagine that others must have had this problem, and was wondering what the most elegant solution is - how do you create a common programmatic authentication method to be applied to both servlets and JSP pages?
Start Free Trial
