Access Control Using a Filter

The Project Billboard application uses application-controlled authentication and access control to ensure that only registered users can use the application. As discussed in Chapter 12, your first choice should be to use container-controlled authentication and access control, but let’s assume that, in this case, there are valid reasons for going at it on our own.

Not all requests require a user to be logged in. For instance, if the login form and authentication request are protected, you’re faced with a Catch 22; it’s impossible to log in because you have to be logged in to load the login form. It’s also reasonable to accept a log-out request from a user who isn’t logged in; the session that contains the authentication information may have timed out before the user tries to log out.

You can use the URI path to distinguish between requests that need access control and those that don’t. In this application, all requests that need access control include the /protected path element, as shown in Table 18-1.

Table 18-1. Project Billboard context-relative URI paths

Context-relative path



The login JSP page


The main JSP page


The message entry form JSP page


The authenticate action


The logout action


The action for storing a new message


The action for ...

Get JavaServer Pages, Second Edition now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.