Hello!!

I'm trying to write a logIn check module in a controller.
I've got a LoginController that checks if the username and password is correct or displays the loginScreen if it's the first time the user visits the site. If it's correct a session attribute: USER_NAME is set, and then another view is presented. Normal stuff I guess...

Then all other controllers has to check if the session attribute is set, if not the controller returns a ModelAndView object that directs it to the LoginController again, including an errormassage.

The class RegMenuController extends UserSessionContext. Is it better not to extend it? It calls the method
checkUserContext() to check if the user is logged in.

My question now is: Is this a normal way to do this, or does anyone have a more elegant solution to this. I'd be very greatful if anyone could guide me to a better solution!!!

public class UserSessionContext{

public ModelAndView checkUserContext() {

HttpSession session = request.getSession();
ModelAndView mv = null;

// If the user is not logged in operatorstring is set to logInUser
if (session.getAttribute("USER_NAME") == null) {

ErrorMessage em = new ErrorMessage();
em.setErrMsg("Fant ikke bruker");

Map model = new HashMap();
model.put("errorMsg", em);

mv = new ModelAndView("login", "model", model);
}
return mv

}


public class RegMenuController extends UserSessionContext implements Controller {

private ModelAndView mv;
private Map model;

/** Creates a new instance of RegMenuController */
public ModelAndView handleRequest(HttpServletRequest request, HttpServletResponse response) {

mv = checkUserContext();


if (mv == null) {
mv = new ModelAndView("regMenu", "regMenu", null);
}

return mv;
}
}

A couple of things :

Security is tricky to get right. Reusing well known solutions is a big plus. Unless you have good reasons, you should have a look at Acegi (also known as Spring-Security) which is a security solution for Spring. Or have a look at the standard FORM authentication that you can configure via your web.xml.

If you really have to do authentication by hand, you should try to decouple it from the controllers. For example, use a servlet Filter that maps to all web pages (except of course to the login page) and have it redirect the request to the login page if the user isnt logged in.

If you really have to do authentication in your Controller, try to do it all in your base class (UserSessionContext). For example :

public abstract class UserSessionContext implements Controller {

protected abstract ModelAndView handleRequestInternal(HttpServletRequest request, HttpServletResponse response);

public ModelAndView handleRequest(HttpServletRequest request, HttpServletResponse response) {
ModelAndView mv;
HttpSession session = request.getSession();
if (session.getAttribute("USER_NAME") == null) {
ErrorMessage em = new ErrorMessage();
em.setErrMsg("Fant ikke bruker");
Map model = new HashMap();
model.put("errorMsg", em);
mv = new ModelAndView("login", "model", model);
} else {
mv = handleRequestInternal(request, response);
}
return mv;
}
}


Then, your concrete controller can be much more simple, and as long as you extend "UserSessionContext", you are sure that you dont forget anything about security :

public class RegMenuController extends UserSessionContext {
protected ModelAndView handleRequestInternal(HttpServletRequest request, HttpServletResponse response) {
return new ModelAndView("regMenu", "regMenu", null);
}
}


Oh, and by the way ... Controllers should be thread safe. So dont store any state in instance variables (like the "mv" and "map" instance variables you have in RegMenuController).

Thank you so much for your reply gehel! Helped me a lot!!
I will look into Acegi, but first I want to get the code to work without it...

There are some thinks I don't understand in your reply... Can you explain them a bit more for me please.

Your reply: Or have a look at the standard FORM authentication that you can configure via your web.xml.
Do you here mean the tag <form:form method="" commandName="" action="">
I guess you have to configure that in the dispatcher-servlet, so maybe it's something different...
I looked into the web.xml under security->Login Configuration and found something about form there. Is that what you mean...

Your reply: For example, use a servlet Filter that maps to all web pages (except of course to the login page) and have it redirect the request to the login page if the user isnt logged in.

Do you have a link to a tutorial where this is explained? Or is this what you have done in the code you posted? There is something about Filters in the web.xml file. Is this where you would make a servlet Filter.

Here is some of my mapping code in web.xml:
<servlet-mapping>
<servlet-name>dispatcher</servlet-name>
<url-pattern>*.action</url-pattern>
</servlet-mapping>

<servlet-mapping>
<servlet-name>dispatcher</servlet-name>
<url-pattern>*.htm</url-pattern>
</servlet-mapping>

The dispatcher-servlet is like this:
<bean id="urlMapping" class="org.springframework.web.servlet.handler.SimpleUrlH andlerMapping">
<property name="mappings">
<props>
<prop key="/logIn.action">LoginController</prop>
<prop key="/regMenu.action">RegMenuController</prop>
<prop key="/regUser.action">RegUserController</prop>
</props>
</property>
</bean>

Your reply: Oh, and by the way ... Controllers should be thread safe. So dont store any state in instance variables (like the "mv" and "map" instance variables you have in RegMenuController).

You mean, I shouldn't declare them private, just declare them inside the metod?

Your reply: Or have a look at the standard FORM authentication that you can configure via your web.xml.
Do you here mean the tag <form:form method="" commandName="" action="">
I guess you have to configure that in the dispatcher-servlet, so maybe it's something different...
I looked into the web.xml under security->Login Configuration and found something about form there. Is that what you mean...

That's probably it. A nice article at OnJava : http://www.onjava.com/pub/a/onjava/2001/08/06/webform.html . I cant seem to find a good reference on the web.xml. You can have a look at WebLogic reference (http://e-docs.bea.com/wls/docs70/webapp/web_xml.html), but it's definitely not the best reference I have ever seen.

Your reply: For example, use a servlet Filter that maps to all web pages (except of course to the login page) and have it redirect the request to the login page if the user isnt logged in.

Do you have a link to a tutorial where this is explained? Or is this what you have done in the code you posted? There is something about Filters in the web.xml file. Is this where you would make a servlet Filter.

Yes, again you are right. Some documentation here : http://java.sun.com/j2ee/tutorial/1_3-fcs/doc/Servlets8.html#103101 or go directly to the JavaDoc : http://java.sun.com/j2ee/1.4/docs/api/javax/servlet/Filter.html .

Your reply: Oh, and by the way ... Controllers should be thread safe. So dont store any state in instance variables (like the "mv" and "map" instance variables you have in RegMenuController).

You mean, I shouldn't declare them private, just declare them inside the metod?

Exactly. And as a general programing rule, you should always declare your variables with the most restricted scope possible. If you can declare them inside a method, it's always better that declaring them at the class level ...

Thanks gehel!!

Helped me a lot. I will look into it!!

You're a champion!!