The problem is that the requested page is been loaded from the browser cache instead of straight from the server. You just need to instruct the browser to not cache all the restricted JSP. This way the browser is forced to request the page from the server instead of from the cache and hence all login checks on the server will be executed. <\/p>\n
You can do this using a Filter which sets the necessary response headers in the doFilter() method:<\/p>\n
\r\n@WebFilter\r\npublic class NoCacheFilter implements Filter \r\n{\r\n @Override\r\n public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws IOException, ServletException \r\n {\r\n HttpServletResponse response = (HttpServletResponse) res;\r\n response.setHeader("Cache-Control", "no-cache, no-store, must-revalidate"); \r\n response.setHeader("Pragma", "no-cache"); \/\/ HTTP 1.0.\r\n response.setDateHeader("Expires", 0); \/\/ Proxies.\r\n chain.doFilter(req, res);\r\n }\r\n \/\/ ...\r\n}\r\n<\/pre>\nMap this Filter on an url-pattern of interest, for example *.jsp.<\/p>\n
\r\n@WebFilter(\"*.jsp\")\r\n<\/pre>\nOr if you want to put this restriction on secured pages only, then you should specify an URL pattern which covers all those secured pages. For example, when they are all in the folder \/app, then you need to specify the URL pattern of \/app\/*. <\/p>\n
\r\n @WebFilter(\"\/app\/*\")\r\n<\/pre>\nEven more, you can do this job in the same Filter as where you’re checking the presence of the logged-in user.<\/p>\n
Complete Authentication Filter<\/strong>
\nThe filter (the interceptor) shouldn’t check the validity of the username\/password combo. That’s the responsibility of the servlet (the controller).<\/p>\nThe filter should merely check if the user is logged-in or not (usually by just checking the presence of a session attribute) and then continue the request or block it by redirecting back to the login page.<\/p>\n
\r\n@WebFilter("\/*")\r\npublic class LoginFilter implements Filter {\r\n\r\n @Override\r\n public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws ServletException, IOException { \r\n HttpServletRequest request = (HttpServletRequest) req;\r\n HttpServletResponse response = (HttpServletResponse) res;\r\n HttpSession session = request.getSession(false);\r\n String loginURI = request.getContextPath() + "\/login";\r\n\r\n boolean loggedIn = session != null && session.getAttribute("user") != null;\r\n boolean loginRequest = request.getRequestURI().equals(loginURI);\r\n\r\n if (loggedIn || loginRequest) {\r\n chain.doFilter(request, response);\r\n } else {\r\n response.sendRedirect(loginURI);\r\n }\r\n }\r\n\r\n \/\/ ...\r\n}\r\n<\/pre>\nThe servlet should collect the submitted data, find the associated User in database and if found then store it as a session attribute and then redirect to the home page, else redisplay the form with validation errors.<\/p>\n
\r\n@WebServlet("\/login")\r\npublic class LoginServlet extends HttpServlet {\r\n\r\n @EJB\r\n private UserService userService;\r\n\r\n @Override\r\n protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {\r\n request.getRequestDispatcher("\/WEB-INF\/login.jsp").forward(request, response);\r\n }\r\n\r\n @Override\r\n protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {\r\n String username = request.getParameter("username");\r\n String password = request.getParameter("password");\r\n Map<String, String> messages = new HashMap<String, String>();\r\n\r\n if (username == null || username.isEmpty()) {\r\n messages.put("username", "Please enter username");\r\n }\r\n\r\n if (password == null || password.isEmpty()) {\r\n messages.put("password", "Please enter password");\r\n }\r\n\r\n if (messages.isEmpty()) {\r\n User user = userService.find(username, password);\r\n\r\n if (user != null) {\r\n request.getSession().setAttribute("user", user);\r\n response.sendRedirect(request.getContextPath() + "\/home");\r\n return;\r\n } else {\r\n messages.put("login", "Unknown login, please try again");\r\n } \r\n }\r\n\r\n request.setAttribute("messages", messages);\r\n request.getRequestDispatcher("\/WEB-INF\/login.jsp").forward(request, response);\r\n }\r\n}\r\n<\/pre>\n","protected":false},"excerpt":{"rendered":"The problem is that the requested page is been loaded from the browser cache instead of straight from the server. You just need to instruct the browser to not cache all the restricted JSP. This way the browser is forced to request the page from the server instead of from the cache and hence all… Continue reading