Recipe11.3.Securing a JSP Page


Recipe 11.3. Securing a JSP Page

Problem

You want to ensure users can access a JSP page only if they are logged in.

Solution

Use a custom JSP tag, like the checkLogon tag from the Struts Mail Reader example application, on pages that require users to be logged in. The checkLogon tag is shown in Example 11-5.

Example 11-5. Struts-example check logon tag
package org.apache.struts.webapp.example; import java.io.IOException; import javax.servlet.ServletException; import javax.servlet.http.HttpSession; import javax.servlet.jsp.JspException; import javax.servlet.jsp.tagext.TagSupport; import org.apache.struts.config.ModuleConfig; /**  * Check for a valid User logged on in the current session.  If there is no  * such user, forward control to the logon page.  *  * @author Craig R. McClanahan  * @author Marius Barduta  * @version $Revision: 1.5 $ $Date: 2005/03/21 18:08:09 $  */ public final class CheckLogonTag extends TagSupport {     // --------------------------------------------------- Instance Variables     /**      * The key of the session-scope bean we look for.      */     private String name = Constants.USER_KEY;     /**      * The page to which we should forward for the user to log on.      */     private String page = "/logon.jsp";     // ----------------------------------------------------------- Properties     /**      * Return the bean name.      */     public String getName( ) {        return (this.name);     }     /**      * Set the bean name.      *      * @param name The new bean name      */     public void setName(String name) {        this.name = name;     }     /**      * Return the forward page.      */     public String getPage( ) {        return (this.page);     }     /**      * Set the forward page.      *      * @param page The new forward page      */     public void setPage(String page) {        this.page = page;     }     // ----------- Public Methods -----------------     /**      * Defer our checking until the end of this tag is encountered.      *      * @exception JspException if a JSP exception has occurred      */     public int doStartTag( ) throws JspException {        return (SKIP_BODY);     }     /**      * Perform our logged-in user check by looking for the existence of      * a session scope bean under the specified name.  If this bean is not      * present, control is forwarded to the specified logon page.      *      * @exception JspException if a JSP exception has occurred      */     public int doEndTag( ) throws JspException {              // Is there a valid user logged on?         boolean valid = false;         HttpSession session = pageContext.getSession( );         if ((session != null) && (session.getAttribute(name) != null)) {             valid = true;         }              // Forward control based on the results         if (valid) {             return (EVAL_PAGE);         } else {             ModuleConfig config =                 (ModuleConfig) pageContext.getServletContext( ).getAttribute(                     org.apache.struts.Globals.MODULE_KEY);                              try {                     pageContext.forward(config.getPrefix( ) + page);                 } catch (ServletException e) {                     throw new JspException(e.toString( ));                 } catch (IOException e) {                     throw new JspException(e.toString( ));                 }                  return (SKIP_PAGE);         }     }     /**      * Release any acquired resources.      */     public void release( ) {         super.release( );         this.name = Constants.USER_KEY;         this.page = "/logon.jsp";     } }

Include the tag at the start of a page that requires users to be logged in. Example 11-6 lists the mainMenu.jsp taken from the Struts Mail Reader example application.

Example 11-6. Using the checkLogon tag on a JSP page
<%@ page contentType="text/html;charset=UTF-8" language="java" %> <%@ taglib uri="/tags/app" prefix="app" %> <%@ taglib uri="/tags/struts-bean" prefix="bean" %> <%@ taglib uri="/tags/struts-html" prefix="html" %> <%-- Check if the user is logged in and redirect to logon if not --%> <app:checkLogon/> <html> <head> <title><bean:message key="mainMenu.title"/></title> <link rel="stylesheet" type="text/css" href="base.css" /> </head> <h3><bean:message key="mainMenu.heading"/> <bean:write name="user"  property="fullName" /></h3> <ul> <li><html:link action="/EditRegistration?action=Edit"><bean:message  key="mainMenu.registration"/></html:link></li> <li><html:link forward="logoff"><bean:message key="mainMenu.logoff"/> </html:link></li> </ul> </body> </html>

Discussion

If you use directly accessed JSP pages, you will need a mechanism to secure those pages. With a custom JSP tag, you can create the logic in one place and reuse the functionality throughout your application. The checkLogon tag, shown in Example 11-5 and applied in Example 11-6, attempts to retrieve an object from the HTTP session stored under a certain name. The name property defaults to the value defined by Constants.USER_KEY. If the object isn't found, the tag forwards to a module-relative page specified by the page property. This value defaults to /logon.jsp.

You can use this tag in your own applications even if you store the user under a different name in the session and you want to forward to a different page. In the following snippet, the user object is stored under the name user. If the object cannot be found, the tag redirects to the Register action:

... <%-- Check if there's a user and redirect to registration if not --%> <app:checkLogon name="user" page="/Register.do"/> ...

Like using a base Action, this custom JSP tag only protects JSP pages on which it is included. It does not provide security for actions, static HTML pages, or other web resources.

If you implement a static HTML page as a JSP page, you can secure the page using the checkLogon tag.


See Also

Recipe 11.1Section 11.1 shows you how to secure Actions in the same way that the Solution secures JSP pages.

Recipe 11.6 shows a more comprehensive mechanism, applicable to any web resource, for checking that a user is logged in.



    Jakarta Struts Cookbook
    Jakarta Struts Cookbook
    ISBN: 059600771X
    EAN: 2147483647
    Year: 2005
    Pages: 200

    flylib.com © 2008-2017.
    If you may any questions please contact us: flylib@qtcs.net