Article
The JSP Files - Parts 1 to 8: Tagged and Bagged
Page: 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 Next
Access Denied
Here's another simple example which demonstrates some of the methods above, and also illustrates how JSP sessions can be used to protect Web pages with sensitive information.
This example presents a form ("start.html") asking for your name, and takes you to a new page ("login.jsp") once you submit the form. "login.jsp" creates a session to store the name you entered, and offers a link to "rootshell.jsp", which is the sensitive file to be protected.
So long as the session is active, any attempt to access the page "rootshell.jsp" will succeed. On the flip side, if a session is not active, any attempt to access "rootshell.jsp" by bypassing the initial form will fail, and the user will be redirected to "start.html".
This is a relatively primitive example, but serves to demonstrate one of the more common uses of session variables.
All the redirection in this example is accomplished using the Response object (you remember this, don't you?)
<html>
<head>
<basefont face="Arial">
</head>
<body>
<!-- start.html -->
<form action="login.jsp" method="post">
<table>
<tr>
<td>Your name</td>
<td><input type=text name=username> <input
type="Submit" value="Click me"></td> </tr>
</table>
</form>
</body>
</html>
Once the form is submitted, "login.jsp" takes over.
<html>
<head>
<basefont face="Arial"
</head>
<body>
<%
// get the form variable
String username = request.getParameter("username");
// create a session
session.putValue("username", username);
// set a timeout period
session.setMaxInactiveInterval(300);
// display a link to the protected file
out.println("Thank you for using this service.");
out.println("Click <a href=rootshell.jsp>here</a> for
root access"); %>
</body>
</html>
And here's the top-secret page.
<html>
<head>
<basefont face="Arial">
</head>
<body>
<%
// rootshell.jsp
// get the username from the session
String username = (String)session.getValue("username");
// if null, security breach!
if (username == null)
{
response.setHeader("Location", "start.html");
}
else
{
// display the protected page
%>
Welcome to your root shell, <b><%= username %></b>!
<p>
Your session ID is <% out.println( session.getId() ); %>
<p>
This session will expire in <% out.println(
session.getMaxInactiveInterval() ); %> seconds.
<%
}
%>
</body>
</html>
To test this, first log in and find your way to "rootshell.jsp" - you should have no trouble accessing it. Then close the browser, start it up again, and try to get to "rootshell.jsp" without going through the login process; you should be automatically redirected to the login page.
And that's about it. You should now have a pretty clear idea of how JSP attempts to solve the "stateless protocol" problem, together with some understanding of how to create and use both client-side cookies and server-side sessions. Go practice!
Note: All examples in this article have been tested on Linux/i586 with Tomcat 3.2 and JServ 1.1. Examples are illustrative only, and are not meant for a production environment. YMMV!
Copyright Melonfire, 2000. All rights reserved.