how can i stop direct access to web pages without authentication in java (Custom Tag)

Question

I am using MVC (custom tag) and i want to know how to restrict direct access to the application pages unless authenticated, I tried using a filter but am running into a problem that it blocks the access to the login page itself, i want every user to access login page and only after authentication he gets access to other pages. please tell me wat changes i need to make in my code ?

inside Myjsp folder i have all the .jsp pages (\\Tomcat 6.0\\webapps\\Myjsp) and class files are inside classes/pack/java

Below is the filter:

package pack.java;

import java.io.*;
import javax.servlet.*;

public class loginfilter implements Filter {
    String aa;

    public void destroy() {
    }

    public void doFilter(ServletRequest request, ServletResponse response,
            FilterChain chain) throws IOException, ServletException {
        aa = request.getRequestURI();
        chain.doFilter(request, response);
    }

    public void init(FilterConfig fconfig) throws ServletException {
    }

}

Web.xml entry:

<filter>
    <filter-name>loginfilter</filter-name>
    <filter-class>pack.java</filter-class>
</filter>

<filter-mapping>
    <filter-name>loginfilter</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping> 

Answer 1

I've been with the same problem recently. So, I found out that there are two ways you can do this. The first one is to use tools provided by the application server that allow you to authenticate all the users that want to access those pages. I only tried this solution with JBOSS AS7 and it works fine, but I think the others also allow you to do this, here's a link that explains you how to do this in general, then you just need to adapt it to your application server http://docs.oracle.com/javaee/6/tutorial/doc/gijrp.html .

But, sometimes you need to have more control about the authentication and not be dependent on this type of authentication (in my case I also allowed the clients to be authenticated via facebook or gmail accounts), so the solution is to use a filter that only filters the calls to a private page (that requires authentication). From what I see your loggin filter is currently filtering all your pages (including the login page) since you have this:

<url-pattern>/*</url-pattern>

To solve this problem I suggest you to organize your pages into two folders, one contains the public files and the other the private ones, then you can just put this:

<url-pattern>/private_pages/*</url-pattern>

The login page and all the others will be in the public_pages folder. Also the filter is doing nothing yet, so you will need to get the http session attributes and find whether the user is authenticated or not (and then allow him to see the page or redirect him to the login page). Here are the links for some of my posts while I was investigating the same as you: - User authentication with J2EE - Authentication with Java EE - Session Tracking using J2EE

Hope to be useful.