2

I have created a web application. Everything works fine.But, if the user is not logged in still they can have access to other jsp pages through url. I want to stop url access. I saw some example it shows the usage of filters. I'm new to filters I don't how to implement it. I'm using servlets, dao and jsp pages.

Please suggests me how to do it. I want to make one filter for all the jsp or servlets pages.

Web.XML:
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://xmlns.jcp.org/xml/ns/javaee" xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/web-app_3_1.xsd" id="WebApp_ID" version="3.1">
  <display-name>MBO</display-name>
   <filter>
  <filter-name>MyFiltersDAO</filter-name>
  <filter-class>Model.MyFiltersDAO</filter-class>
</filter>

<filter-mapping>
  <filter-name>MyFiltersDAO</filter-name>
  <url-pattern>/secret/*</url-pattern>
</filter-mapping>
  <welcome-file-list>
    <welcome-file>Login.jsp</welcome-file>
  </welcome-file-list> 
</web-app>

Class :

public class MyFiltersDAO {
    public void init(FilterConfig filterConfig) throws ServletException {
    }

    public void doFilter(ServletRequest request, ServletResponse response,
                         FilterChain chain)
    throws IOException, ServletException {

         HttpServletRequest req = (HttpServletRequest)request;
            HttpServletResponse resp = (HttpServletResponse)response;
            String abc=(String) req.getSession().getAttribute("Username");
            if(null==((String) req.getSession().getAttribute("Username")) || ((String) req.getSession().getAttribute("Username")).equals("")){
                chain.doFilter(req, resp);
        } else {
          resp.sendRedirect("/Login.jsp");
      }
    }


    public void destroy() {
    }
}

when i run project it shows HTTP404 error

Karthik
  • 71
  • 1
  • 10
  • have you tried using a session? – Vikram Saini Jun 20 '17 at 05:58
  • This link can be use full for you : https://www.javatpoint.com/authentication-filter – Sunil Kanzar Jun 20 '17 at 06:05
  • You might have a look at Spring Security, even if you're not using Spring (and you really shouldn't be hand-coding servlets when useful frameworks are available). – chrylis -cautiouslyoptimistic- Jun 20 '17 at 06:06
  • Put jsp files into web-inf folder so user can't access it directly. And use HttpSession to store logged in user – Jay Smith Jun 20 '17 at 06:14
  • I had the same issue. I used the code in this link under "disable direct access of jsp page - JavaServer Pages (JSP) and JSTL": https://java.databasedevelop.com/article/11412792/disable+direct+access+of+jsp+page (see the code added to the web.xml file). This works for me perfectly. Only if a person clicks on a link, the user can access the page, but if the user puts the .jsp page in the url, the user will not have access, and it will throw a "HTTP Status 403 – Forbidden" error, which is what I want. – myverdict Oct 01 '20 at 16:32

1 Answers1

1

you can give a try to session.Suppose when a user logs in then you can set a session attribute in session like

   if(loggedIn)
{
session.setAttribute("username",username);
}

and in your jsp you can validate when the page loads that if session is not null only then that page should be accessed else redirect user to home page

if(session.getAttribute("username")!=null)
{


}
else
{
response.sendredirect(url)
}

UPDATE: You can do it using

       protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {

                HttpSession session = request.getSession(); 
  if(loggedIn)
    {
    session.setAttribute("username",user))
response.sendredirect("index.jsp");
    }
}

in your index.jsp

<%

if (session.getAttribute("username") !=null) {
//your code
}
else
{
//your code
}
%>
Vikram Saini
  • 2,713
  • 1
  • 16
  • 33
  • Hi, how can I call this class from servlet – Karthik Jun 20 '17 at 06:10
  • in your servlet httpresponse object is alreay created by default in get and post methods,you just need to make a session object like Httpsession session=response.getSession(); And then set session as session.setAttribute(arg1,arg2), in your jsp you can directly use session.getAttribute(arg1) inside a scriplet – Vikram Saini Jun 20 '17 at 06:13
  • Hi,@Vikram Saini, can u please provide me code for this I am newer to this Java please help me out – Karthik Jun 20 '17 at 06:18
  • I have updated the answer – Vikram Saini Jun 20 '17 at 06:25
  • I did without login pages not accessing It redirect to login page but when I login with user name and password it not open next page where did I do mistake can u please tell me – Karthik Jun 20 '17 at 06:36
  • then may be your credentials are not getting validated properly.you can debug your code and check if username and password are actually matching for that particular user or not.If credentials are validated then after that you can write response.sendredirect("login.jsp").May be you are missing it – Vikram Saini Jun 20 '17 at 06:40
  • did you resolve your issue? – Vikram Saini Jun 20 '17 at 08:30
  • Hi,@Vikram Saini,[link]https://stackoverflow.com/questions/44647044/when-i-access-pages-without-login-it-works-fine-but-when-i-login-page-is-not-dis. I raised another question could you please see that link. Here i changed my code `String loginURI = req.getContextPath() + "/Login.jsp"; boolean loggedIn = session != null && session.getAttribute("Username") != null; boolean loginRequest = req.getRequestURI().equals(loginURI); if (loggedIn || loginRequest) { chain.doFilter(request, response);} else {resp.sendRedirect(loginURI); }` – Karthik Jun 20 '17 at 08:45