allow only logged in user to access private page_问答_开发者

allow only logged in user to access private page

开发者 https://www.devze.com 2023-02-05 18:22 出处：网络

I am working on a MIS project and currently i am creating a login system for that. I am using servlet on server side and jquery on client side for ajax calls.

their is a login page which first checks the login status through an ajax call and if user is already logged in then it changes the page location to 'services.html'.

when services.html loads i am again checking the login status and if user is not logged in then i am changing the page location to 'Login.html' using

document.location='Login.html'开发者_JAVA技巧;

The code looks like this

$(document).ready(function() {
$("#login").hide();
    $.post("checkLogin",function(xml) {
    var status = $(xml).find("result").text();
    if (status == "yes") {
       document.location='Login.html';
    }
    else{
        // Do Nothing.
    }
});

Now the problem with the services.html page is that it checks the login status after the full page is loaded into the browser.

I don't know any other good way to restrict Non Logged-In users to access 'services.html' page . As this project is quite big , i have to create a large number of private pages similar to 'services.html' Like 'stuInfo.html' For accessing Student Information etc.

Anyone please tell me any good way for this.

You should check this in the server side, not in the client side. JavaScript runs at client side and is disableable, hackable and spoofable. You don't want your application to be that weak.

Put all the restricted pages in some folder, e.g. /secured and then create a Filter which is mapped on an <url-pattern> of /secured/* and checks the presence of the logged-in user in the doFilter() method.

An example can be found in the servlet-filters tag info page.

Look into Spring Security.

In your case, you're almost certainly going to be using some sort of form-based authentication, but it also supports HTTP authentication.

Authentication is something that is best done at the app server or framework level. J2EE containers and frameworks (like Spring mentioned above) do the leg work, so you just configure what pages lie withing and what pages lie outside the authenticated area.

Plain old servlets can be used for authentication etc, but remember there will be issues you will run into as you expand your app. One way to do it using servlets is to have all your privileged pages behind a /loggedin/services.html.

Then you have a servlet defined for /loggedin/... which redirects to the login page if the authentication params cannot be found in the session, or request or however you are doing it.

Hope that helps