Every protected resource should implement this: import java.io.*; Log-in Pageimport java.util.*; import javax.servlet.*; import javax.servlet.http.*; public class ProtectedResource extends HttpServlet { public void doGet(HttpServletRequest req, HttpServletResponse res) throws ServletException, IOException { res.setContentType("text/plain"); PrintWriter out = res.getWriter(); // Get the session HttpSession session = req.getSession(true); // Does the session indicate this user already logged in? Object done = session.getValue("logon.isDone"); // marker object if (done == null) { // No logon.isDone means he hasn't logged in. // Save the request URL as the true target and redirect to the login page. session.putValue("login.target", HttpUtils.getRequestURL(req).toString()); res.sendRedirect(req.getScheme() + "://" + req.getServerName() + ":" + req.getServerPort() + "/login.html"); return; } // If we get here, the user has logged in and can see the goods out.println("Credential Content displays here."); } } <HTML> LoginHandler (accessible from Log-in page setting name and passwd parameters)<TITLE>Login</TITLE> <BODY> <FORM ACTION=/servlet/LoginHandler METHOD=POST> <P>Name: <INPUT TYPE=text NAME="name" VALUE="" SIZE=15> <P>Password: <INPUT TYPE=password NAME="passwd" VALUE="" SIZE=15> <INPUT TYPE=submit VALUE="OK"> </BODY> </HTML> import java.io.*; How it works: any page first checks for the authentication and authorization of the user. If not proper, a redirect to the log-in page will occur and target after a successful log-in will be set to current page in a session object. Log-in page asks the user for username and password and sends these two to log-in handler. After a successful check of log-in in loginHandler, user will be redirected to the target of log-in already set in the session.import java.util.*; import javax.servlet.*; import javax.servlet.http.*; public class LoginHandler extends HttpServlet { public void doPost(HttpServletRequest req, HttpServletResponse res) throws ServletException, IOException { res.setContentType("text/html"); PrintWriter out = res.getWriter(); // Get the user's name and password String name = req.getParameter("name"); String passwd = req.getParameter("passwd"); // Check the name and password for validity if (!allowUser(name, passwd)) { out.println("<HTML><HEAD><TITLE>Access Denied</TITLE></HEAD>"); out.println("<BODY>Your login and password are invalid.<BR>"); out.println("You may want to <A HREF=\"/login.html\">try again</A>"); out.println("</BODY></HTML>"); } else { // Valid login. Make a note in the session object. HttpSession session = req.getSession(true); session.putValue("logon.isDone", name); // just a marker object // Try redirecting the client to the page he first tried to access try { String target = (String) session.getValue("login.target"); if (target != null) res.sendRedirect(target); return; } catch (Exception ignored) { } // Couldn't redirect to the target. Redirect to the site's home page. res.sendRedirect(req.getScheme() + "://" + req.getServerName() + ":" + req.getServerPort()); } } protected boolean allowUser(String user, String passwd) { return true; // trust everyone } } |