Options re JSP Authentication

Question

I'm working on a Tomcat 7 JSP app and am using application level authentication. i.e. The user logs into a form that I check against a database. Then I set a user bean in the session to log them in.

It seemed the logical thing to do at the time. But now I'm questioning myself... I'm getting bogged down in the details.

e.g. I check that the user is logged in on each secure page. If not, I redirect to the login page. Then the login returns them to the secure page. This has issues of the session times out.

e.g. The user edits a form (basic CRUD). Then the phone rings. After the call, they submit the form but without a valid session. The action redirects to the login. But after login the form variables are blank and they create an empty row in the table...

I can think of ways to deal with this situation but now I'm wondering if it's a wild goose chase. Is there a better way?

• Is there a FAQ that discusses the merits of application based or container based authentication?
• Is there a nicely documented pattern for roll-your-own authentication?
• Will this scenario cause scaleability problems in the future?

Looking for alternatives. Thanks

Answer 1

Just my 2 cents. Heres what i would do.

1) Well instead of just relying on Session Variable alone , you can create a cookie to log other details like the UserName , lastAccessedPage etc.

2) Don't not handle authentication at the JSP , rather move the logic to a Servlet Filter. Which should ideally check if the session is valid for all requests.

3) SoWhen session times out during submission of Form,Still the parameters are submitted , just that this will intercepted by the Filter. In Filter you could create a temp session variable with a key like userid_pagetype (to make it unique) to store all the Request Data (i.e Request Params and Request param values.)`

With this setup in place you can populate the fields when he lands on the Form again