Tim,
there are several ways to implement this kind of security check. If you
want a fullblown MVC model, you might consider looking at Struts or one
of the other Apache-driven frameworks (Struts is the only one i have
personal experience with).
with the example you give, i don't understand the need for a
'controller' jsp in this context.
The way i handle security in one of my apps is that i have a method in a
session-bean (public void isAuthenticated()) that checks the user has a
valid login, so all my jsps (except login.jsp) are wrapped in a
statement like
<jsp:useBean id="Authentication" scope="session"
class="com.mycompany.authentication"></jsp:useBean>
<%if (Authentication.isAuthenticated())
{%>
.... rest of JSP goes here
<%}
else
{
response.sendRedirect("./login.jsp");
}
%>
If a valid session key is already assigned, the method returns true. If
username and password are supplied in request scope, isAuthenticated
does a lookup to our authentication database, and if successful, sets a
valid session key, and returns true.
If neither of these are true, isAuthenticated sets a 'you are not
authenticated' message to be displayed by login.jsp, returns false, and
the user is redirected back to login.jsp
In our struts projects, we have a custom tag library that checks
authentication details, so its even simpler than the above.
This example lacks exhaustive detail, but it is pretty easy to implement
a security model like this. There are a number of foibles you can make,
however. I'd tell you what they are, but that would spoil your fun now,
wouldn't it ;)
Hope that helps
-Pete
> Hi,
>
> (Tomcat 3.2.1, windows 2000, JdK1.3.1)
>
> I want to use a Request Controller architecture for a webapp (i.e. one JSP
> that receives all requests and then dispatches the requests to other JSPs
> for servicing of the request). Of course I want to ensure that these
> "servicing" JSPs are not accessible without passing through the controller
> jsp. Is a secure solution to this problem to use a servlet mapping of the
> following form in web.xml:
>
> <web-app>
>
> <servlet>
> <servlet-name>controller</servlet-name>
> <jsp-file>controller.jsp</jsp-file>
> </servlet>
>
>
> <servlet-mapping>
> <servlet-name>controller</servlet-name>
> <url-pattern>/*</url-pattern>
> </servlet-mapping>
>
> </web-app>
>
>
> And to include in Controller.jsp a session bean for each user to check
> whether they have logged on to the site before forwarding their request to
> the "servicing" JSP.
>
> I have tried this out "empirically" myself and it seems to work but I would
> quite like a "theoretical" confirmation that this is secure and that this
> solution makes it impossible for a malicious user to get access to the
> "servicing" JSPs (without passing through Controller.jsp which will force a
> logon).
>
> Thanks.
>
> Tim.
>
>
> This message contains information that may be privileged or confidential and is the
>property of the Cap Gemini Ernst & Young Group. It is intended only for the person to
>whom it is addressed. If you are not the intended recipient, you are not authorized
>to read, print, retain, copy, disseminate, distribute, or use this message or any
>part thereof. If you receive this message in error, please notify the sender
>immediately and delete all copies of this message.
