Hi Mike,

I'm no expert with authentication and sessions but I've very recently done the sort of thing that you are asking about. Authorization is a very broad subject, with several HTTP and servlet specifications avaliable for your use. It sounds like you are trying to use a custom servlet-based approach, so I'll try to help to that extent.

You probably want to use a stateful session bean as the anchor between the client and server. I'm not sure if you have any reason for two session beans as you have mentioned, but you want at least one to maintain some advanced conversation state between client and server. I use mine to expose all the necessary business methods, etc.

Here are a few tips that you probably already know:
Avoid using entity beans in a remote client - there is a lot of RMI-IIOP overhead that you can and usually should avoid by wrapping with a session bean. Particularly with CMP.

Always know the relationship bewteen client and server w/r/t the Java Virtual Machine. (Assuming you're using CMP and EJB 2.0) you can make decent performance gains by implementing and using local interfaces as opposed to remote interfaces. (I run the Jboss3.0.0 and Tomcat4.0.3, so they share a single VM and my JSP client benefits from the faster local interfaces.)


Now, there are many ways to maintain the login state, I'll describe two approaches that should fit into what you have described. BOTH REQUIRE THAT ALL PAGES ARE JSP because we're not using HTTP-based authentication and I don't know how to bridge the gap backwards. - not an expert!

ONE - rely on your session bean in each page:
At the top of each JSP you'll declare a usebean tag like this:
<jsp:useBean id="mySesBean" scope="session" class="com.yourcompany.whatever.yourSessionBean" />

Note the "session" scope. Each page that shares this useBean tag will have access to the same session bean that you setup on your login. This is only true when the user is clicking from page to page (or using back in many cases) BUT I'm pretty sure that if they type a URL to another one of your pages the session will have been broken. - you'll have to test this if you care.

So on each of your pages you would test that the session bean (mySesBean in this example) has some property that indicates that the user has been validated and logged in. If not forward them to a no-session, login or error page.

TWO - If you're not interested in using your session bean on every page you can easily set session attributes at login time and then check in a scriptlet at the start of each JSP for the correct attributes.

Here is an example of the second approach. (The first is really all about the useBean and scriptlets to access it's properties whereever necessary.)

Login page does these things:
*Declare jsp:useBean tag* - (I do it right before for consistency):
<jsp:useBean id="mySesBean" scope="session" class="com.yourcompany.whatever.yourSessionBean" />

*Process the login*
In the body of that login page process your login by whatever means you like. I tend to send the submitted form back to the same page using a hidden field that indicates a login attempt is in progress and attempt the login using my bean in some scriptlet code. You can do this across two pages if that's easier. Anyway, something like this:

<%
//The mode indicating what sort of processing we need to do
String pageState = request.getParameter("page_state");

if (pageState == null) {
//out.println("NO PAGE MODE"); //my debug statement when uncommented
//do nothing! we are just going to display the login form fields and submit button
}else if (pageState.equals("login")) {
if (loginName == null || loginName.equals("")) {
loginMsg = "You must specify your login name! If you have forgotten your account information please use the forgot my password option.";
} else {
//try to login
boolean stat = mySesBean.login(loginName,pwd);
loginMsg = mySesBean.getLastStatusMsg();

if (stat == true) {
session.setAttribute("logged_in",(String)"true");
session.setAttribute("userid",loginName);
//we're logged in and the session attribs are stored, need to advance to the user's index page
%>
<jsp:forward page="userIndex.jsp" /><%
} else if (loginMsg == null || loginMsg.equals("")) {
//not at all likely, but not a good idea to not report a failed login
loginMsg = "Login did not succeed. Please check you login name and password carefully.";
}
}

}
%>

The rest of the page is my login page, it follows this login logic. If they login successfully then they don't stay at this page, if they fail I display the login message and let them try again...

I'm sure you know this part, but it shows the necessary hidden field and sorta completes the example:
<form action="index.jsp" method="post" name="loginform">


login name
 
<input type="text" name="login_loginname" <% if (loginName != null) { %> value="<%=loginName%>" <%} %>>


Password
 









NOW - in the target page (userIndex.jsp) I do the following check just after the tag:

<%

String logState = (String)session.getAttribute("logged_in");
if (logState != null && logState.equals("true")) {
//debug diagnostics while I was testing this:
out.print("loged in");
out.print("userid is " + session.getAttribute("userid"));
} else {
%>
<jsp:forward page="noSession.jsp" /><%
}
%>


The above code would have to be placed at the top of each page that I required a logged in user. Also the logout functionality would have to remove the attributes from the session. (session.removeAttribute("logged_in");)

If you need something different or clarification feel free to ask. Others who know way more than I feel free to correct me, ect..

Does any of this help?
Ryan

I don't know a thing about JAAS. Hopefully you can search the forums for existing posts...

good luck,
Ryan