I have created a web application. Everything works fine.But, if the user is not logged in still they can have access to other jsp pages through url. I want to stop url access. I saw some example it shows the usage of filters. I'm new to filters I don't how to implement it. I'm using servlets, dao and jsp pages.
Please suggests me how to do it. I want to make one filter for all the jsp or servlets pages.
web.xml
<?xml version="1.0" encoding="UTF-8"?>
<web-app version="2.5" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd">
<filter>
<filter-name>MyFilter</filter-name>
<filter-class>com.eis.servlet.MyFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>MyFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<servlet>
<servlet-name>login</servlet-name>
<servlet-class>com.eis.servlet.LoginServlet</servlet-class>
</servlet>
<servlet>
<servlet-name>DayWiseServlet</servlet-name>
<servlet-class>com.eis.servlet.DayWiseServlet</servlet-class>
</servlet>
<servlet>
<servlet-name>RegisterServlet</servlet-name>
<servlet-class>com.eis.servlet.RegisterServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>login</servlet-name>
<url-pattern>/LoginServlet</url-pattern>
</servlet-mapping>
<servlet>
<servlet-name>RetrieveServlet</servlet-name>
<servlet-class>com.eis.servlet.RetrieveServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>RetrieveServlet</servlet-name>
<url-pattern>/RetrieveServlet</url-pattern>
</servlet-mapping>
<servlet>
<servlet-name>TimeSheet</servlet-name>
<servlet-class>com.eis.servlet.TimeSheet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>TimeSheet</servlet-name>
<url-pattern>/TimeSheet</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>DayWiseServlet</servlet-name>
<url-pattern>/DayWiseServlet</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>RegisterServlet</servlet-name>
<url-pattern>/RegisterServlet</url-pattern>
</servlet-mapping>
<welcome-file-list>
<welcome-file>/index.jsp</welcome-file>
</welcome-file-list>
<session-config>
<session-timeout>15</session-timeout>
</session-config>
</web-app>
loginservlet.java
public class LoginServlet extends HttpServlet{
private static final long serialVersionUID = 1L;
@Override
public void doGet(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
response.setContentType("text/html");
PrintWriter out = response.getWriter();
String n=request.getParameter("Emp_id");
String p=request.getParameter("Pwd");
String Usertype=request.getParameter("usertype");
HttpSession session = request.getSession(false);
if(session!=null){
session.setAttribute("name", n);
session.setAttribute("usertype", Usertype);
}
if(LoginDao.validate(n,p)){
RequestDispatcher rd=request.getRequestDispatcher("/daywise.jsp");
rd.forward(request,response);
}
else{
out.print("<p style=\"color:red\">Sorry Employee ID or password error</p>");
RequestDispatcher rd=request.getRequestDispatcher("/index.jsp");
rd.include(request,response);
}
out.close();
}
protected void doPost(HttpServletRequest request,
HttpServletResponse response)
throws ServletException, IOException {
doGet(request, response);
}
}
myfilter:
public class MyFilter implements Filter{
@Override
public void init(FilterConfig config) throws ServletException {}
@Override
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
HttpServletRequest req = (HttpServletRequest)request;
HttpServletResponse resp = (HttpServletResponse)response;
if(null==((String) req.getSession().getAttribute("empid")) || ((String) req.getSession().getAttribute("empid")).equals("")){
chain.doFilter(req, resp);
} else {
resp.sendRedirect("/WebTimeSheet/index.jsp");
}
}
@Override
public void destroy() {}
}
Loginpage:
<form action="LoginServlet" method="post">
<fieldset style="width: 300px">
<legend> Login to App </legend>
<table>
<tr>
<td>User ID</td>
<td><input type="text" name="Emp_id" required="required" /></td>
</tr>
<tr>
<td>Password</td>
<td><input type="password" name="Pwd" required="required" /></td>
</tr>
<tr>
<td>User Type</td>
<td> <select name="usertype">
<option>Employee</option>
<option>Manager</option>
<option>Admin</option>
</select></td>
</tr>
<tr>
<td><input type="submit" value="Login" /></td>
</tr>
</table>
</fieldset>
</form>
</body>
<%@include file="/footer.jsp" %>
</html>
and all my jsp pages are in the web pages folder which is outside the Web-inf folder. Web-inf folder only got web.xml init
Header.jsp
<c:choose>
<c:when test="${usertype eq 'Employee'}">
<div class="nav">
<ul><li class="container"><img src="${pageContext.request.contextPath}/images/enabling.jpg" /></li>
<li class="current"><a href="WEB-INF/daywise.jsp">DayWise TimeSheet</a></li>
<li><a href="WEB-INF/timesheet.jsp">Weekly TimeSheet</a></li>
</ul>
</div>
</c:when>
<c:when test="${usertype eq 'Manager'}">
<div class="nav">
<ul><li class="container"><img src="${pageContext.request.contextPath}/images/enabling.jpg" /></li>
<li class="current"><a href="/WEB-INF/daywise.jsp">DayWise TimeSheet</a></li>
<li><a href="WEB-INF/timesheet.jsp">Weekly TimeSheet</a></li>
<li><a href="WEB-INF/newemployee.jsp">Add New Employeer</a></li>
<li><a href="WEB-INF/retrieve.jsp">Retrieve TimeSheet</a></li>
</ul>
</div>
</c:when>
Firstly, JSPs should not be used to serve requests, they should be used to render views. Servlets should be used to serve requests, and then forward to a JSP.
Here's an example:
public class HelloWorld extends HttpServlet {
public void doGet(HttpServletRequest request,
HttpServletResponse response)
throws ServletException, IOException
{
//do some stuff
//forward to JSP to show result
String nextJSP = "/WEB_INF/result.jsp";
RequestDispatcher dispatcher = getServletContext().getRequestDispatcher(nextJSP);
dispatcher.forward(request,response);
}
}
And in web.xml:
<servlet>
<servlet-name>HelloWorldServlet</servlet-name>
<servlet-class>your.package.HelloWorld</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>HelloWorldServlet</servlet-name>
<url-pattern>/someurl</url-pattern>
</servlet-mapping>
In this example, the servlet forwards to a JSP in the WEB-INF directory. By putting all your JSPs in the WEB-INF directory, it means that they cannot be requested directly.
Now you have a Servlet, you can set up a Servlet Filter:
public class MyFilter implements Filter {
public void doFilter(ServletRequest req, ServletResponse res,
FilterChain chain) throws IOException, ServletException {
if (isLoggedIn) {
//if user is logged in, complete request
chain.doFilter(req, res);
} else {
//not logged in, go to login page
res.sendRedirect("/login");
}
}
And in web.xml:
<filter>
<filter-name>MyFilter</filter-name>
<filter-class>your.package.MyFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>MyFilter</filter-name>
<url-pattern>/secret/*</url-pattern>
</filter-mapping>
So that way any URL that fits the pattern /secret/*
will be filtered so that login is required.
You need to use a servlet filter and match all the requests.
In that filter you need to check for authorization.
Here is the official docs with example
You can set an authentication cookie in the response header
Cookie someCookie = new Cookie("cookie_name","some_value" );
and, response.addCookie(someCookie)
then , inside your filter you can decide to call chain.doFilter(req, res)
based on the cookie value.
you may control the cookie age by cookie.setMaxAge();
ie. set the max age to '0' on log out .
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.