The JSP Files (part 6): State Of Grace - Access Denied (
Page 9 of 9 )
Here's another simple example which demonstrates some of the methods above,
and also illustrates how JSP sessions can be used to protect Web pages with
sensitive information.
This example presents a form ("start.html") asking for your name, and takes
you to a new page ("login.jsp") once you submit the form. "login.jsp"
creates a session to store the name you entered, and offers a link to
"rootshell.jsp", which is the sensitive file to be protected.
So long as the session is active, any attempt to access the page
"rootshell.jsp" will succeed. On the flip side, if a session is not active,
any attempt to access "rootshell.jsp" by bypassing the initial form will
fail, and the user will be redirected to "start.html".
This is a relatively primitive example, but serves to demonstrate one of
the more common uses of session variables.
All the redirection in this example is accomplished using the Response
object (you remember this, don't you?)
<html>
<head>
<basefont face="Arial">
</head>
<body>
<!-- start.html -->
<form action="login.jsp" method="post">
<table>
<tr>
<td>Your name</td>
<td><input type=text name=username> <input type="Submit" value="Click
me"></td>
</tr>
</table>
</form>
</body>
</html>
Once the form is submitted, "login.jsp" takes over.
<html>
<head>
<basefont face="Arial"
</head>
<body>
<%
// get the form variable
String username = request.getParameter("username");
// create a session
session.putValue("username", username);
// set a timeout period
session.setMaxInactiveInterval(300);
// display a link to the protected file
out.println("Thank you for using this service.");
out.println("Click <a href=rootshell.jsp>here</a> for root access");
%>
</body>
</html>
And here's the top-secret page.
<html>
<head>
<basefont face="Arial">
</head>
<body>
<%
// rootshell.jsp
// get the username from the session
String username = (String)session.getValue("username");
// if null, security breach!
if (username == null)
{
response.setHeader("Location", "start.html");
}
else
{
// display the protected page
%>
Welcome to your root shell, <b><%= username %></b>!
<p>
Your session ID is <% out.println( session.getId() ); %>
<p>
This session will expire in <% out.println(
session.getMaxInactiveInterval() ); %> seconds.
<%
}
%>
</body>
</html>
To test this, first log in and find your way to "rootshell.jsp" - you
should have no trouble accessing it. Then close the browser, start it up
again, and try to get to "rootshell.jsp" without going through the login
process; you should be automatically redirected to the login page.
And that's about it. You should now have a pretty clear idea of how JSP
attempts to solve the "stateless protocol" problem, together with some
understanding of how to create and use both client-side cookies and
server-side sessions. Go practice!
