prevent from a user to access directly to a jsp file

Question

let's say i have a servlet that forwards a request to a jsp file that contains a list of products. for example, Login.java is a servlet that forwards a request (upon successful login) to Products.jsp. now, in Products.jsp i have to check first that user is indeed logged in:

<% if (request.getSession().getAttribute("username") == null) {
    response.sendRedirect("/store/login");
    return;
} %>

this is in order to prevent the user from seeing the products just by writing localhost:8080/store/Products.jsp. I read here some posts that it is best to avoid writing java code in jsp files. so my question is, is there a more elegant way to solve this problem?

Read this: http://stackoverflow.com/questions/3177733/how-to-avoid-java-code-in-jsp-files — BalusC, Feb 25 '12 at 22:40

score 4 · Accepted Answer · answered Feb 25 '12 at 22:10

Yes - put all JSP files in WEB-INF/ (for example - WEB-INF/jsp), and only forward to them from servlets. For example, if a servlet is mapped to /foo, then its doGet() method can perform the logic you've written, and do the forward to product.jsp.

It might become too verbose with bare servlets though, so a framework like Spring MVC can be very helpful.

Generally, authentication checks are preformed by a Filter though - you put a filter which checks each request and if a user is not authenticated, the filter redirects.

prevent from a user to access directly to a jsp file

1 Answers1