OOP LoginManager: Session tracking without Cookie / User authentication without Realm / Access Privilege on JSP and Servlet
Java API for access privilege control and session management (transaction tracking) for JSP or Servlet on Apache Tomcat. The way for user authentication and session management without Cookie.
No more Cookie! No more Realm! You may have shouted during your JSP/Servlet programming. But don't worry.
Voilà, OOP LoginManager!
OOP LoginManager takes over all your tedious tasks required for the access privilege control and the session management.
By the easy programming interface of this Java API, a few lines of code are enough for the session tracking on your JSP or Servlet without Cookie. Only for the authenticated user, the unique session ID will be issued. And the subsequent requests to your JSP or Servlet can be verified by this session ID. Then, this session ID tells your JSP or Servlet who is the user and which groups (roles) s/he belongs to. Of cource, similar to HttpSession object, you can associate any Java objects with the session ID.
The user name, password and groups (or roles) are read from SQL table through JDBC PreparedStatement, and you can update these information on demand while your server is running. Your JSP or Servlet no longer needs to depend on the user authentication mechanism implemented by the JSP/Servlet server, such as BASIC authentication FORM of the Realm implementation by Apache Tomcat.
Putting it all togather : OOP Bento framework
This Java API is now a part of OOP Bento framework. In this MVC framework by XML, you can write all the GUIs in the web application in the normal HTML, XHTML, WML, HDML or any other mark-up languages. And you no longer need to bother about the user authentication and the session tracking. Because its full working source code example will be the good starting point of this Java API, please also visit the web site of Bento framework.
Related Pages:
- API documentation (Java Doc) of OOP LoginManager
- README of OOP LoginManager
- Introduction of OOP PooledStatement
What is it?
Given the pair of the user name and password, this API issues the unique session ID for each user login. In the HTTP response from your Servlet/JSP, the generated session ID:
- can be embed as the HIDDEN input parameter in the CGI FORM for the next HTTP POST request.
- can be appended to the query String in the URL for the next HTTP GET request, similar to URLEncoding
In addition to the user name, this API can also list the groups to which the user belongs, which makes some sort of access privilege control available in your Servlet/JSP. For example, based on the user name and the groups to which s/he belongs, your Servlet/JSP can decide whether the user has the enough privilege on the intended data or not. The information required for user authentication are read from SQL table through JDBC PreparedStatement, and can be updated on demand. By this way, your web applications or WAP services can be independent from Realm mechanism implemented by JSP/Servlet server, and more portable.
Easy programming interface
Before you start to develop your JSP/Servlet by this API, please read the Tips for the Java API from OOP-Research. This tips describes about how to get the instance of:
- com.oopreserch.web.login.LoginManager
At the very early stage of your web application, some Servlet/JSP should receive the HTTP POST (or GET) request with the user name and password. The instance of:
- com.oopreserch.web.login.LoginManager
...
// Assuming "req" is the instance of HttpServletRequest...
// Let's get the user name and password.
String user=req.getParameter("user");
String pass=req.getParameter("pass");
// If any of the user name and password is null,
// the request should be forwarded to another page.
if(user==null || pass==null){
(req.getRequestDispatcher(url)).forward(req,res);
return;
}
// Assuming "login" is the instance of LoginManager,
// Let's try this pair of user name and password...
String id=null;
try{
id=login.login(user,pass);
}
catch(LoginFailedException ex){
// We reach here if the pair of the user name and
// password is incorrect.
(req.getRequestDispatcher(url)).forward(req,res);
return;
}
catch(NestedException ex){
// Something is wrong with the SQL connection.
// In usual, we will never reach here.
// The original Throwable can be extracted
// from NestedException.
throw (new ServletException(ex.getOriginal()));
}
// Now, we can use "id" to place the generated
// transaction ID into the response.
...
|
The returned transaction ID can be included in the HTTP response and can be send back to the next Servlet/JSP as the HIDDEN parameter value in the CGI FORM of the next HTTP POST request. The HTTP response from your Servlet/JSP will look like:
... <form action="NextServlet" method="post"> <input type="hidden" name="transId" value="h3dfgc4ma"> ... |
Or, it may be appended to the query String in the URL for the next HTTP GET request. For example, the response from your Servlet/JSP can include the link something like:
... <a href="NextServlet?transId=h3dfgc4ma">Please Click Here!</a> ... |
Anyway, the transaction ID can be available to the subsequent Servlet/JSP. Within the instance of LoginManager, the generated transaction ID is mapped with the user name and the series of the groups to which s/he belongs. Given the transaction ID, the instance of LoginManager will return the instance of:
- com.oopreserch.web.login.UserInfo
...
// Assuming "req" is the instance of HttpServletRequest...
// Let's get the user name and password.
String id=req.getParameter("transId");
// If the value of "transId" is null,
// the request should be forwarded to another page.
if(id==null){
(req.getRequestDispatcher(url)).forward(req,res);
return;
}
// Assuming "login" is the instance of LoginManager,
// Let's try this id...
UserInfo info=null;
try{
info=login.getInfo(id);
}
catch(InvalidIdException ex){
// We reach here if the given ID is invalid.
// Note that the ID will expire after the specified
// amount of time.
(req.getRequestDispatcher(url)).forward(req,res);
return;
}
// Now, we can use "info" to see if the user has the
// enough privilege to access the data.
String user=info.getUser();
Set groups=info.getGroups();
...
|
By this way, your Servlet/JSP has a chance to see if the request comes from the privileged user or not.
For details of this API, please read:
Requirement
The following API is required :
- OOP PooledStatement Version 3.0 or later
Installation
Assuming that you are using Apache Tomcat 3.2.x for your JSP or Servlets, the typical directory structure will be:
- (docBase)/WEB-INF/lib/loginman.jar
- (docBase)/WEB-INF/lib/oop_util_3_1.jar
- (docBase)/WEB-INF/lib/poolps.jar
- (docBase)/WEB-INF/classes/LoginManager.properties
- (docBase)/WEB-INF/classes/SimpleIdGenerator.properties
- (TOMCAT_HOME)/lib
NOTE for JBuilder:
Please add all the jar files above to Required Libraries of your project.
Download
This API is now a part of Bento framework. There are the better documentations and source code examples on the web site for Bento framework. There, you will also find the link to download the entire framework or each API in it.
| Caution! |
All the APIs for Servlet/JSP introduced by this web site are now included in Bento framework:
|
|
Java and all Java-based trademarks and logos are trademarks or registered of Sun Microsystems, Inc. in the United States and other countries.
ALL CONTENTS COPYRIGHT 1997-2007, OOP-Research Corporation. All rights reserved.