I made a really simple login and session structure for reuse in my future JSP based applications. It's like this:
web.xml (the 1 minute timeout is to test my problem):
<session-config>
<session-timeout>1</session-timeout>
</session-config>
<filter>
<filter-name>Access</filter-name>
<filter-class>com.app.Access</filter-class>
</filter>
<filter-mapping>
<filter-name>Access</filter-name>
<url-pattern>*</url-pattern>
</filter-mapping>
<servlet>
<servlet-name>Login</servlet-name>
<servlet-class>com.app.Login</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>Login</servlet-name>
<url-pattern>/login</url-pattern>
</servlet-mapping>
Access.java filter:
// Check if the page's the login or if the user logged, else asks login
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws ServletException, IOException {
HttpServletRequest httpRequest = (HttpServletRequest) request;
boolean logged = httpRequest.getSession(false) != null && httpRequest.getSession().getAttribute("user") != null;
if (httpRequest.getServletPath().equals("/login") || logged)
chain.doFilter(request, response);
else
((HttpServletResponse) response).sendRedirect(httpRequest.getContextPath() + "/login");
}
Login.java servlet (authentication shortened for test):
protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
if (request.getRequestedSessionId() != null && !request.isRequestedSessionIdValid())
request.setAttribute("failure", "session timeout");
request.getSession().setAttribute("user", null);
request.getRequestDispatcher("login.jsp").forward(request, response);
}
protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
request.getSession().setAttribute("user", new User());
response.sendRedirect("");
}
And the login.jsp page, at the root of WebContent, has a <form action="login" method="post">
form with appropriated innerHTML for authentication and a ${failure} field to receive a session timeout or a login failed message.
This structure works perfectly for me. It intercepts, asks for login, checks both session and authentication, etc., but there's a small flaw: if you're at the login page and refresh it (either F5 or pressing Enter at the URL) after the timeout, the page receives and shows the "session timeout" message in ${failure}.
I found no real working way yet to make it know that the previous page was the login page. Tried about five different ways without success, including request.getHeader("Referer")
and the lastWish
tag library.