?
Solved

Best way to track client authorization in jsp?

Posted on 2007-10-08
17
Medium Priority
?
445 Views
Last Modified: 2012-05-05
I'm having users enter and ID and password which I verify in a database. Then, other pages get sent. When a new page is sent, what is the best way to verify the user is logged in and not someone who book-marked, or just type the URL w/o logging in? I've programmed a lot in CGI and, for example, I would create a tag file for this user when they logged in. Each CGI that was run thereafter checked for this tagfile and, if it did not exists, would direct the user to log in properly. The tagfile would expire after x minutes of inactivity. There must be a better/standard way with jsp?
0
Comment
Question by:jmarkfoley
  • 5
  • 5
  • 3
  • +3
17 Comments
 
LVL 23

Expert Comment

by:Ajay-Singh
ID: 20038956
I believe this is the clean way:
 
create a controller that checks of the client is already authenticated (by
examining the cookies), if not redirect to login page, once logged-in it
will redirect to the original page.
0
 
LVL 92

Expert Comment

by:objects
ID: 20039022
store the logged in user in the session
0
 
LVL 1

Author Comment

by:jmarkfoley
ID: 20039049
Ajay-Singh: I'd rather avoid using cookies if possible. Alternatives?

objects: how would I do that? (beginner)
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
LVL 92

Accepted Solution

by:
objects earned 1200 total points
ID: 20039072
once you've authenticated the user:

session.setAttribute("loggedin", user);


then to check on each request:

User user = (User) session.getAttribute("loggedin");
if (user==null)
{
    // redirect to login


nb. User is whatever class you use to tore details about the user
0
 
LVL 23

Expert Comment

by:Ajay-Singh
ID: 20039080
> I'd rather avoid using cookies if possible.
Why?
0
 
LVL 26

Expert Comment

by:ksivananth
ID: 20039265
>>Alternatives?

hidden fields or header field!
0
 
LVL 11

Expert Comment

by:Manish
ID: 20040390
When user logged off
dont forget to remove user from session.
session.removeAttribute...
0
 
LVL 11

Expert Comment

by:Manish
ID: 20040428
session.removeAttribute("loggedin");
0
 
LVL 1

Author Comment

by:jmarkfoley
ID: 20045505
Ajay-Singh: These users are retirees, not necessarily that computer saavy. If their grandkid set their browser up some funky why they might be too confused with an "accept cookie" message. Better to avoid any possible client security issues.

objects/karanw:
> nb. User is whatever class you use to tore details about the user
Could this class be a datestamp? For example:

Date logTime = new Date();
session.setAttribute("loggedin", logTime);

btw - it seems that I'm struggling to compile each and every line of code! Why does the following not compile? I copied it from examples:

<%@ page import="java.util.*" %>
  :
<% Date rightNow = new Date();
  out.print(rightNow.toString());
%>

Error is:

An error occurred at line: 26 in the jsp file: /pensionMenu.jsp
The type Date is ambiguous

24: <%@ page import="java.sql.*" %>
25:
26: <% Date rightNow = new Date();
27:
28:   out.print(rightNow.toString());
29: %>
0
 
LVL 92

Expert Comment

by:objects
ID: 20045564
you can use whatever you want to indicate someone has logged in

> Why does the following not compile?

There are multiple Date classes in seperate packages


<% java.util.Date rightNow = new java.util.Date();
0
 
LVL 1

Author Comment

by:jmarkfoley
ID: 20045732
That worked, but I can tell this whole class naming this is going to be a problem for me getting started. Here's another one. For a given class (e.g. session), I do I figure out it's naming: p1.p2.session.method(), or the import path? Sometimes I can do google on "java date class" or some such things and get all this, but doing it for "jsp session class" gives me nothing useful.

verifyUser.java:9: cannot find symbol
symbol  : variable session
location: class common.verifyUser
    java.util.Date lastDate = (java.util.Date) session.getAttribute("loggedin");
 
0
 
LVL 92

Expert Comment

by:objects
ID: 20045749
session is a variable, not a class
0
 
LVL 11

Assisted Solution

by:Manish
Manish earned 800 total points
ID: 20046435
0
 
LVL 1

Author Comment

by:jmarkfoley
ID: 20051390
Bingo! Thanks karanw, that's the link I needed. OK, last issue on this topic, then I'll mess around a bit and give you guys a break. I can do things like session.isNew(), session.getMaxInactiveInterval(), etc. within my jsp program. However, I'd like to put some of this in a class for common usage by various jsp programs. I have the following program in WEB-INF/classes. When I javac it, I get the error shown below. I believe it is because I need to import something or more rigorously define the class parents, or something. As I've said, I'm new at this java stuff. I've programmed in C for years and the description of the C library function generally told you what you needed to #include. I'm trying to make the paradigm shift!

Program:

package common;
public class verifyUser {
public Boolean newLogin()
{
    if (session.isNew())
        out.print("true ");
    else
        out.print("false");
    return true;
}

}

Error:

javac verifyUser.java
verifyUser.java:7: cannot find symbol
symbol  : variable session
location: class common.verifyUser
    if (session.isNew())
        ^
verifyUser.java:8: cannot find symbol
symbol  : variable out
location: class common.verifyUser
        out.print("true ");
        ^
0
 
LVL 27

Expert Comment

by:mrcoffee365
ID: 20052311
JSP pages have some variables defined for you, like session and out .

Java source code has to have those variables defined, as in any normal programming.  I think for what you're trying to do, you should pass the HttpServletRequest and HttpServletResponse to the newLogin class, and have it be a servlet.

Then
HttpSession ses = request.getSession();
wil give you the session.
ServletOutputStream out = response.getOutputStream();
will give you the out variable for the outputStream.

If you don't want newLogin to be a servlet, but instead you want to keep it in the package you've declared, then just pass in the request, and add any necessary true/false values to the session in the request.

Deal with displaying "true" or "false" outside, in either a JSP page or a servlet.
0
 
LVL 92

Expert Comment

by:objects
ID: 20052688
session and out are vars available in a jsp, if u have a class that needs access to them then you'll need to pass the var to method
0
 
LVL 1

Author Comment

by:jmarkfoley
ID: 20069091
OK, this is getting beyond the scope of my orignial question, so I think I'll close this one out and start up a new one to figure out what objects and mrcoffee365 are suggesting. First, I'll nail down the logic I want to use.
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Most folks would know the basics of how Dropbox works, so that’s not the purpose of this article. Security is what it’s all about, so here I’ll share how I choose to secure my Dropbox Account and the Data it contains.
In the below post we have mentioned the best hosting type for startups. Also, check out some of the superlative web hosting companies that are proposing affordable web hosting solutions to host your startup website.
Is your data getting by on basic protection measures? In today’s climate of debilitating malware and ransomware—like WannaCry—that may not be enough. You need to establish more than basics, like a recovery plan that protects both data and endpoints.…
Is your OST file inaccessible, Need to transfer OST file from one computer to another? Want to convert OST file to PST? If the answer to any of the above question is yes, then look no further. With the help of Stellar OST to PST Converter, you can e…
Suggested Courses

864 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question