Session Tracking using J2EE

Question

I\'m trying to implement session tracking on my website. Basically I want the users to be able to login in my website using their username and their password, pass throw my webs

Answer 1

You can use Spring Security. It has all the features you require. Spring Security provides comprehensive security services for J2EE-based enterprise software applications.

The framework will authenticate and authorize the user based on the configuration done in the framework. And will automatically save the user state in the session. You don't have to explicitly deal with sessions.

Answer 2

I am confused with term session tracking, but I understand that you want to allow users to access protected resources.

What you need is to define roles, authentication provider and mapping for secured resources. Then you can combine it in web.xml:

<security-constraint>
         <display-name>SecurityConstraint</display-name>
        <web-resource-collection>
              <web-resource-name>WRCollection</web-resource-name>
             <url-pattern>/*</url-pattern>
     </web-resource-collection>
        <auth-constraint>
              <role-name>TutorialUser</role-name>
        </auth-constraint>
        <user-data-constraint>
            <transport-guarantee>CONFIDENTIAL</transport-guarantee>
        </user-data-constraint>
   </security-constraint>
  <login-config>
        <auth-method>FORM</auth-method>
     <form-login-config>
              <form-login-page>/loginform.html</form-login-page>
             <form-error-page>/loginerror.html</form-error-page>
      </form-login-config>
 </login-config>
 <security-role>
    <role-name>TutorialUser</role-name>
</security-role>

See http://docs.oracle.com/cd/E19226-01/820-7627/bncby/index.html for details. This is JEE standard way.

Answer 3

You can use a servlet to login to your application.

But you need a filter to restrict access to secured pages.

Every request must pass through that filter.