设计问题 - servlet、jsps、自定义标签、html

发布于 2024-08-14 12:12:16 字数 590 浏览 5 评论 0原文

我对 servlet 和 jsp 很陌生。我想知道对于我正在尝试为其编写代码的示例问题,最佳设计是什么。这里是 -

我想创建一个网站(www.example.com),仅列出每个用户的登录历史记录(不是任何人想要的任何功能,而只是一个示例)。

所以这里有两个 URL - /index.jsp 和 /login(假设所有注册都已完成)。

index.jsp 将显示该用户过去的所有登录信息。但为此我必须确定用户是否已经登录。如果用户已经登录,我会向他显示他的历史记录,否则我必须自动将他转发到登录页面。

我已经编写了一个自定义的加密强 cookie,它会告诉我用户是否登录。因此,如果 cookie 发送给我,我可以验证他是否已通过身份验证或者 cookie/会话是否已过期。那不是问题。

我遇到的设计问题是 - 如何调用检查身份验证的 java 类?我是否使用自定义 jsp 标记来检查此内容并重写页面?我想让我的 html 开发人员在创建新页面时可以轻松使用该类。最好的方法是什么?

我想我的问题更多地与jsps中java代码的正确使用和/或可能是自定义标签库有关。请随意继续咆哮:)

感谢您的阅读。

  • 瓦斯

I am new to servlets and jsps. I wanted to know what the best design would be for a sample problem I am trying to write code for. Here goes -

I want to create a web site (www.example.com) that just lists the login history of every user (not any functionility any one wants but just an example for the sake of one).

So there are two URLs here - /index.jsp and /login (Lets assume all registrations are done).

The index.jsp will show all the past logins for that user. But for that I have to identify if the user is already logged in or not. If the user is already logged in I show him his history, else I have to forward him to the login page automatically.

I already wrote a custom cryptographically strong cookie that will tell me if the user is logged in or not. So if the cookie is sent to me I can verify if he is authenticated or if the cookie/session has expired or not. That is not a problem.

The design problem I have is this - How should the java class checking for authentication be called? Do I use custom jsp tags for checking this and rewriting the page? I want to make the class easy for my html developers to use when creating new pages. What is the best way to do this?

I guess my question has more to do with the correct usage of java code in jsps and/or may be custom tag libraries. Please feel free to go on as long a rant as you want to :)

Thanks for reading.

  • Vas

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(1

你在我安 2024-08-21 12:12:16

您可以使用 Filter 来实现此目的。通过这种方式,您可以将代码逻辑保留在一个位置,而无需在所有 JSP 页面上不必要地复制粘贴相同的代码,并且它还可以很好地保持 JSP 不含 scriptlet。

您也可以使用 Java EE 提供的 HttpSession API。这基本上已经由 cookie 支持,您可以将 Java 对象作为属性存储在会话中,以便它们在整个用户会话中保持可用。

登录时,只需将 User 对象放入 HttpSession 中:

User user = userDAO.find(username, password);
if (user != null) {
    request.getSession().setAttribute("user", user);
} else {
    // Show error.
}

要检查用户是否已登录,请使用 Filter。实现 doFilter() 方法如下:

if (((HttpServletRequest) request).getSession().getAttribute("user") != null) {
    chain.doFilter(request, response); // User is logged in, just continue with request.
} else {
    ((HttpServletResponse) response).sendRedirect("login"); // Not logged in, redirect to login page.
}

并将其映射到 url-pattern 上,例如 /secured/restricted/users< /代码> 左右。将要限制的 JSP 页面也放在 webcontent 的同一文件夹中。

要注销用户,只需将其从会话中删除即可:

request.getSession().removeAttribute("user");

// Or, more drastically, invalidate the entire session:
request.getSession().invalidate();

也就是说,Java EE 已经提供了声明式(基于 xml 配置)容器管理的安全性,您可以找到有关它的教程 此处。您可以使用它,但如果您想让应用程序独立拦截由容器管理的登录,例如保留登录历史记录的概述,那么您仍然需要创建一个过滤器。例如:

HttpServletRequest httpRequest = (HttpServletRequest) request;
UserPrincipal user = httpRequest.getUserPrincipal();
HttpSession session = httpRequest.getSession();
if (user != null && session.getAttribute("user") == null) {
    session.setAttribute("user", user);

    // First-time login. You can do your intercepting thing here.
}
chain.doFilter(request, response);

You can use a Filter for this. This way you can keep the code logic at a single place without the need to unnecessarily copypaste the same code over all JSP pages and it also keeps JSP nicely scriptlet-free.

Instead of reinventing the session by creating a cookie yourself, you can also just make use of the Java EE provided HttpSession API. This is basically already backed by a cookie and you can store Java objects in the session as attributes so that they remain available the entire user session.

On login just put the User object in HttpSession:

User user = userDAO.find(username, password);
if (user != null) {
    request.getSession().setAttribute("user", user);
} else {
    // Show error.
}

To check if an user is logged in, use a Filter. Implement the doFilter() method as follows:

if (((HttpServletRequest) request).getSession().getAttribute("user") != null) {
    chain.doFilter(request, response); // User is logged in, just continue with request.
} else {
    ((HttpServletResponse) response).sendRedirect("login"); // Not logged in, redirect to login page.
}

and map it on an url-pattern like /secured, /restricted, /users or so. Put the to-be-restricted JSP pages in the same folder in webcontent as well.

To logout an user, just remove it from the session:

request.getSession().removeAttribute("user");

// Or, more drastically, invalidate the entire session:
request.getSession().invalidate();

That said, Java EE already provides declarative (xml-config based) container managed security, you can find a tutorial about it here. You can make use of it, but if you want to let your application intercept indepentently on the logins managed by the container to for example keep an overview of the login history, then you still need to create a Filter. For example:

HttpServletRequest httpRequest = (HttpServletRequest) request;
UserPrincipal user = httpRequest.getUserPrincipal();
HttpSession session = httpRequest.getSession();
if (user != null && session.getAttribute("user") == null) {
    session.setAttribute("user", user);

    // First-time login. You can do your intercepting thing here.
}
chain.doFilter(request, response);
~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文