Access Control Using a Filter
The Project Billboard application uses application-controlled authentication and access control to ensure that only registered users can use the application. As discussed in Chapter 12, your first choice should be to use container-controlled authentication and access control, but let’s assume that, in this case, there are valid reasons for going at it on our own.
Not all requests require a user to be logged in. For instance, if the login form and authentication request are protected, you’re faced with a Catch 22; it’s impossible to log in because you have to be logged in to load the login form. It’s also reasonable to accept a log-out request from a user who isn’t logged in; the session that contains the authentication information may have timed out before the user tries to log out.
You can use the URI path to distinguish between requests
that need access control and those that don’t. In
this application, all requests that need access control include the
/protected
path element, as shown in Table 18-1.
Table 18-1. Project Billboard context-relative URI paths
Context-relative path |
Resource |
---|---|
|
The login JSP page |
|
The main JSP page |
|
The message entry form JSP page |
|
The authenticate action |
|
The logout action |
|
The action for storing a new message |
|
The action for ... |
Get JavaServer Pages, Second Edition now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.