Application auth vs Server auth


Web tier: servlets, JSP, Web frameworks: Application auth vs Server auth

  1. Application auth vs Server auth (4 messages)


    im working on a user administration.
    Now, my problem is following:

    I have a Struts action which checks if a user is logged, if a user wants access a JSP which can only accessed by registered users. If user is logged, the Action redirects to the JSP.
    But when the user enters the JSP Site in his browser manually, he can access it, without beeing logged, because the Action is not executed.

    I know, i can create realms on the Applicationserver to protect JSPs.

    But how can i combine this two techniques, means, that the user can not manually enter the JSP in the browser to access it?

    Any suggesstions or better solutions?


    Threaded Messages (4)

  2. Application auth vs Server auth[ Go to top ]

    Usually, using a filter as defined in Servlet 2.3.
    Filters are executed before servlets (therefore, before struts actions).
    Check the SecurityFilter proyect at for a cool implementation.

    Cheers and happy coding,
  3. ...[ Go to top ]

    But how can i prevent that users enters the JSP Url manually in the Browser to access it?
    I think relams and roles are used here, but how can i combine this with my application?
  4. ...[ Go to top ]

    Use the HTTPSession or a SessionBean(stateful)

    boolean isUserLoggedIn() {

  5. ...[ Go to top ]

    Use the HTTPSession with som JavaBean Object or a SessionBean(stateful)

    boolean loggedIn = false;

    setLoggedIn(boolean b) {
      loggedIn = b;

    boolean isUserLoggedIn() {
      return loggedIn;

    good luck!