"Asty" wrote:
I have made an online shopping store using Servlets,JSP and EJBs.
I want that when user presses 'Add to Cart' button for the first time, he is shown login page, where he has to login and every other time he is shown the shopping cart page.
How do I find if the current user has logged in or not?
Please tell me. I am using JBoss 3.2.1.
Abhishek

This is a bit more complicated than it may seem, but it's not all that difficult. http://www.jboss.org/wiki/Wiki.jsp?page=JBossSXlink will probably help a lot. Basically you first need to configure JBoss to use a authentication/authorization mechanism of some sort (i.e. a .properties file, a database, etc). That is covered under the JBossSX wiki page. Next you need to let JBoss know to protect web accessible resources by adding code similar to the following to your web.xml file:

 <login-config>
 <auth-method>FORM</auth-method>
 <realm-name>SHOP_CART</realm-name>
 <form-login-config>
 <form-login-page>/login.jsp</form-login-page>
 <form-error-page>/lierror.jsp</form-error-page>
 </form-login-config>
 </login-config>
 <security-constraint>
 <web-resource-collection>
 <web-resource-name>ShoppingCart</web-resource-name>
 <description>Allow authenticated users access to cart.jsp.
 </description>
 <url-pattern>/cart.jsp</url-pattern>
 </web-resource-collection>
 <auth-constraint>
 <role-name>authenticatedUser</role-name>
 </auth-constraint>
 </security-constraint>
 <security-role>
 <role-name>authenticatedUser</role-name>
 </security-role>

Then you need to write login.jsp and lierror.jsp. They can be pretty simple, like:

<!-- Login.jsp -->
<%@ page language="java" %>
<!DOCTYPE HTML PUBLIC "-//w3c/dtd/html 4.0 transitional//en">
<HTML><HEAD><TITLE>Login to your shopping cart.</TITLE>
</HEAD><BODY>
<TABLE>
<form method="POST" action="j_security_check" >
<tr>
 <td>Username: </td>
 <td><input type="text" name= "j_username" ></td>
</tr><tr>
 <td>Password: </td>
 <td><input type="password" name= "j_password" ></td>
</tr><tr>
 <td><INPUT type="submit" name="submit" value="Login"></td>
 <td><INPUT type="reset" name="reset" value="Reset"></td>
</form>
</tr></table>
</BODY>
</HTML>

<!-- lierror.jsp -->
<%@ page language="java" %>
<!DOCTYPE HTML PUBLIC "-//w3c/dtd/html 4.0 transitional//en">
<HTML><HEAD><TITLE>Login to your shopping cart.</TITLE>
</HEAD><BODY>
<H3>You have entered an incorrect username or password</H3>
<TABLE>
<form method="POST" action="j_security_check" >
<tr>
 <td>Username: </td>
 <td><input type="text" name= "j_username" ></td>
</tr><tr>
 <td>Password: </td>
 <td><input type="password" name= "j_password" ></td>
</tr><tr>
 <td><INPUT type="submit" name="submit" value="Login"></td>
 <td><INPUT type="reset" name="reset" value="Reset"></td>
</form>
</tr></table>
</BODY>
</HTML>

Don't worry about the implementation of j_security_check, that is implemented for you.

What will happen is something like this:

1. An un-authenticated user requests cart.jsp?action=add&item=133.
2. The user is presented with a login page.
3. The user enters a username and password and submits.
4. JBossSX authenticates the user and sets the role "authentciatedUser" Subject into the user's Principal ( I think?) that will allow the user access to "*/cart.jsp*". This is done by implementing the ideas shown in the JBossSX wiki page.
5. The user is forwarded on to /cart.jsp?action=add&item=133.
6. Any subsequent requests for ./cart.jsp are not prompted with a login page because the user is already authenticated and allowed to access /cart.jsp.
7. The user is allowed to access /cart.jsp until the session is destroyed via closing the browser or calling pageContext().getRequest().invalidate() from a Jsp. I know there is a cleaner way to log out a user, but I haven't ever used it.