Looking for a simple, secure session design with servlets and JSP

Question

I\'m working on an intranet-only web application (J2EE) that requires some basic security features. There will be relatively few authorized users for the site, but I still n

Answer 1

Sounds like you can use simple declarative security approach.

Take a look at Java EE Tutorial section for Securing Web Applications , particularly at declarative security section

To address your specific questions:

What's the simplest ... way to implement a secure session? I.E. prevent users from just directly requesting pages beyond the login screen, etc.

Declare your URLs in webapp descriptor (web.xml) with an appropriate security role. They'll be inaccessible to unauthorized users (and attempt to access them will bring forth a login page).

Is it just a matter of checking the session for some "isUserAuthenticated"-like value, checking that the session exists (e.g. request.getSession(false)) for all incoming requests in my servlet?

All that will be completely unnecessary; servlet container will do it for you behind the scenes.

What about preventing users from getting JSP files and forcing them to use a servlet for all requests?

As long as JSPs never need to be accessed publicly (e.g. you're forwarding to them from within your servlet; you're never redirecting to a JSP) you can declare their URLs in a collection with security role that is never actually assigned to a user.