问题
I'm trying to implement session tracking on my website. Basically I want the users to be able to login in my website using their username and their password, pass throw my website pages (only available for logged users) and then logout. Currently I'm thinking about what is the right architecture to accomplish this. So, is it right to do it like this: use a servlet which validates whether the user is logged or not or if this one is doing a login using a httpSession object (kinda like this example here: http://www.tutorialspoint.com/servlets/servlets-session-tracking.htm). In case of a login attemp the servlet validates the username and password by calling a stateless session bean (which validates the username and password based on my database).
Also everytime the user wants to "travel" to another page on my website that is only visible to logged users, the request must go to the servlet to validate whether the user is logged or not and then retrieve the new page.
Is this the right way to do it? If not how can I accomplish this?
Thanks a lot.
回答1:
I am confused with term session tracking, but I understand that you want to allow users to access protected resources.
What you need is to define roles, authentication provider and mapping for secured resources. Then you can combine it in web.xml:
<security-constraint>
<display-name>SecurityConstraint</display-name>
<web-resource-collection>
<web-resource-name>WRCollection</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>TutorialUser</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/loginform.html</form-login-page>
<form-error-page>/loginerror.html</form-error-page>
</form-login-config>
</login-config>
<security-role>
<role-name>TutorialUser</role-name>
</security-role>
See http://docs.oracle.com/cd/E19226-01/820-7627/bncby/index.html for details. This is JEE standard way.
回答2:
You can use a servlet to login to your application.
But you need a filter to restrict access to secured pages.
Every request must pass through that filter.
回答3:
You can use Spring Security. It has all the features you require. Spring Security provides comprehensive security services for J2EE-based enterprise software applications.
The framework will authenticate and authorize the user based on the configuration done in the framework. And will automatically save the user state in the session. You don't have to explicitly deal with sessions.
来源:https://stackoverflow.com/questions/22503711/session-tracking-using-j2ee