1

I'm checking the login status of a user (permissions) and I would like to redirect him to another page if he hasn't the correct permissions to visit a particular .jsp page.

Is it safe to use

<c:redirect>

from JSTL? Will the user be redirect at 100% or will he maybe receive the html output of my jsp page?

In php, just to be sure, I would place an exit(); after the HEADER redirect. However, since I'm using MVC with asp and servlets, I don't want to place Java inside my .jsp pages.

Bedo
  • 925
  • 2
  • 14
  • 27
  • what about forward? http://stackoverflow.com/questions/2591918/java-servlet-difference-between-send-redirect-and-forward-in-servlets – HRgiger Feb 02 '12 at 22:40

3 Answers3

1

If you're using MVC, the the redirect should not be done in a JSP, with the JSTL. Not that it wouldn't work, but it's just not the responsibility of the view to issue a redirect. It's the responsibility of the controller.

Redirecting from the JSP could fail if some part of the response has already been flushed.

Make it in the controller servlet, using response.sendRedirect().

JB Nizet
  • 678,734
  • 91
  • 1,224
  • 1,255
  • Mmm I'm not sure about this: How can I call a servlet with some parameters in the request without the user action on a form? Plus: "Redirecting from the JSP could fail if some part of the response has already been flushed." what does this mean? The user will see the content of the page? Of course the redirect is placed at the head of the .jsp file... – Bedo Feb 02 '12 at 22:56
  • The point of the MVC architecture is to have every request handled by a controller, written in Java, and then have this controller dispatch to a view, implemented by a JSP. If that's not what you're doing, then you aren't using MVC. With the c:redirect as the first thing a JSP does, you shouldn't have any problem. Why not testing it? – JB Nizet Feb 02 '12 at 23:03
  • Yes, of course I've tested it and it works but I'm not sure if it is a safe approach if a user has malicious intentions or if an error happens on the server during the generation of the page. Does it look quite secure? – Bedo Feb 02 '12 at 23:14
1

I'm checking the login status of a user (permissions) and I would like to redirect him to another page if he hasn't the correct permissions to visit a particular .jsp page.

The canonical approach is to use a servlet Filter for this. You need to group those restricted pages behind a common URL pattern, e.g. /app/*, /secured/*, /private/* or whatever and then map the Filter on exactly that URL pattern which does roughly the following in the doFilter() method (assuming that you're storing the logged-in user in the session the usual way).

@WebFilter("/app/*")
public class AuthenticationFilter implements Filter {

    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws ServletException, IOException {
        HttpServletRequest req = (HttpServletRequest) request;
        HttpServletResponse res = (HttpServletResponse) response;

        if (req.getSession().getAttribute("user") != null) {
            // User is logged in, so just continue request.
            chain.doFilter(request, response);
        } else {
            // User is not logged in, so redirect to some index/login page.
            res.sendRedirect(req.getContextPath() + "/login.jsp");
        }
    }

    // ...    
}

This keeps the JSPs free from copypasted clutter and workarounds to prevent the response from being committed before the redirect.

BalusC
  • 1,082,665
  • 372
  • 3,610
  • 3,555
0

If you do a redirect, user can see the HTML output if you are printing. Better approach could be using forward where the user won't be able to see any of the output.

Ravindra Gullapalli
  • 9,049
  • 3
  • 48
  • 70
  • Using from JSTL at the beginning of the page, will let the entire html of the .jsp page be visible? – Bedo Feb 02 '12 at 23:00
  • That depends on the response speed. But chances are there that the entire page is visible. – Ravindra Gullapalli Feb 02 '12 at 23:01
  • Are you sure about this? I'm not talking about , I'm talking about using from JSTL. – Bedo Feb 02 '12 at 23:15
  • Yes. More info you can find [Here](http://www.ibm.com/developerworks/java/library/j-jstl0318/). Search for **Request redirection** in that page – Ravindra Gullapalli Feb 02 '12 at 23:20
  • You are right. Thanks a lot. Now I'm using (that will change the user browser page) followed by a . Every line in the .jsp file after the forward will not be processed. – Bedo Feb 03 '12 at 14:29